Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:	1.exe
Analysis ID:	1575387
MD5:	fb14aae2ed93a7ddfa718f433f585735
SHA1:	34efa21245f1424be44346b2dc0698844dd30f3f
SHA256:	d1e0cac795c8f8ef7080d0c96f0240ea18f15d56ee5a17bb6595af01aa641e11
Infos:

Detection

INC Ransomware

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Found ransom note / readme

Multi AV Scanner detection for submitted file

Yara detected INC Ransomware

AI detected suspicious sample

Changes the wallpaper picture

Contains functionalty to change the wallpaper

Document exploit detected (process start blacklist hit)

Found Tor onion address

Found potential ransomware demand text

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected potential crypto function

Found potential string decryption / allocating functions

May use bcdedit to modify the Windows boot settings

Queries the volume information (name, serial number etc) of a device

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\1.exe" MD5: FB14AAE2ED93A7DDFA718F433F585735)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FXSSVC.exe (PID: 2932 cmdline: C:\Windows\system32\fxssvc.exe MD5: 8C6D3BF6997E02544BE68D43DABE2F39)

ONENOTE.EXE (PID: 7504 cmdline: /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{AF3AB8FA-AD7A-49AB-B8F2-82D9D57E4E04}.xps" 133787363258030000 MD5: 0061760D72416BCF5F2D9FA6564F0BEA)

OfficeC2RClient.exe (PID: 7560 cmdline: OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1 MD5: 4F025E7F9ADD3623A8B384BC0C7B18CB)

onenoteim.exe (PID: 7604 cmdline: "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca MD5: 56AC82018A550CF0C525F0C7891806F1)

cleanup

Malware Configuration

Threatname: INC Ransomware

{"Text Note": "~~~~ INC Ransom ~~~~\r\n\r\n-----> Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\r\nTor Browser Link:\r\n\thttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/\r\n\thttp://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/\r\n\r\nLink for normal browser:\r\n\thttp://incapt.su/\r\n\t\r\n-----> What guarantees are that we won't fool you?\r\nWe are not a politically motivated group and we want nothing more than money.\r\nIf you pay, we will provide you with decryption software and destroy the stolen data.\r\nAfter you pay the ransom, you will quickly restore your systems and make even more money.\r\nTreat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.\r\nOur pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.\r\nIf we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.\r\nYou can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live\r\n\r\n-----> You need to contact us on TOR darknet sites with your personal ID\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from you.\r\nSometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.\r\n\r\nTor Browser Link for chat:\r\n\thttp://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/\r\n\r\nYour personal ID:\r\n\t%id%\r\n\r\n-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!\r\n-----> Don't go to the police or the FBI for help. They won't help you.\r\nThe police will try to prohibit you from paying the ransom in any way.\r\nThe first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.\r\nThis is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.\r\nPaying the ransom to us is much cheaper and more profitable than paying fines and legal fees.\r\nThe police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.\r\nIf you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.\r\nThe police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.\r\nThe police and FBI won't protect you from repeated attacks. \r\n\r\n-----> Don't go to recovery companies!\r\nThey are essentially just middlemen who will make money off you and cheat you.\r\nWe are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.\r\nIf you approached us directly without intermediaries you would pay several times less.\r\n\r\n-----> For those who have cyber insurance against ransomware attacks.\r\nInsurance companies require you to keep your insurance information secret.\r\nIn most cases, we find this information and download it.\r\n\r\n-----> If you do not pay the ransom, we will attack your company again in the future.\r\n", "HTML Note": "<html>\r\n\t<head>\r\n\t\t<title>INC Ransom</title>\r\n\t</head>\r\n\t<body style=\"width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;\">\r\n\t\t<div style=\"display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;\">\r\n\t\t\t<div style=\"width: 80%;\">\r\n                <div style=\"display: flex; flex-direction: column;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Your data is stolen and encrypted.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span>\r\n                    <span style=\"font-size: 14px;\">The sooner you pay the ransom, the sooner your company will be safe.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Blog Tor Browser Link:</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Blog Link for normal browser:</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incapt.su/</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">You need to contact us on TOR darknet sites with your personal ID</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Download and install Tor Browser https://www.torproject.org/</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Chat Tor Browser Link:</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Your personal ID: </span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px; text-decoration: underline;\">%id%</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Don't go to recovery companies!</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">They are essentially just middlemen who will make money off you and cheat you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">We are well aware of cases where recovery companies tell you that the ransom price is $5M dollars, but in fact they secretly negotiate with us for $1M.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you approached us directly without intermediaries you would pay several times less.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">For those who have cyber insurance against ransomware attacks.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Insurance companies require you to keep your insurance information secret.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">In most cases, we find this information and download it.</span>\r\n                </div>\r\n            </div>\r\n            <div style=\"width: 80%;\">\r\n                <div style=\"display: flex; flex-direction: column;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">What guarantees are that we won't fool you?</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">We are not a politically motivated group and we want nothing more than money.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you pay, we will provide you with decryption software and destroy the stolen data.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">After you pay the ransom, you will quickly restore your systems and make even more money.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Our pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">You can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">Don't go to the police or the FBI for help. They won't help you.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police will try to prohibit you from paying the ransom in any way.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">This is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">Paying the ransom to us is much cheaper and more profitable than paying fines and legal fees.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">If you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.</span>\r\n                    <span style=\"font-size: 14px; margin-top: 8px;\">The police and FBI won't protect you from repeated attacks.</span>\r\n                </div>\r\n                <div style=\"display: flex; flex-direction: column; margin-top: 16px;\">\r\n                    <span style=\"font-size: 20px; font-weight: 600;\">If you do not pay the ransom, we will attack your company again in the future.</span>\r\n                </div>\r\n            </div>\r\n\t\t</div>\r\n\t</body>\r\n</html>", "ID": "6755d7b438e2eaa58b4521ef"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1.exe	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1992603027.00000000005FB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000000.1691485279.00000000005FB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.1988738388.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000003.1991840757.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
00000000.00000002.1995444794.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
Process Memory Space: 1.exe PID: 7412	JoeSecurity_INCRansomware	Yara detected INC Ransomware	Joe Security
Click to see the 5 entries

Sigma Signatures

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\Users\user\AppData\Local\Temp\\background-image.jpg, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1.exe, ProcessId: 7412, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1.exe

Avira: detected

Found malware configuration

Source: 1.exe

Malware Configuration Extractor: INC Ransomware {"Text Note": "~~~~ INC Ransom ~~~~\r\n\r\n-----> Your data is stolen and encrypted.\r\nIf you don't pay the ransom, the data will be published on our TOR darknet sites.\r\nThe sooner you pay the ransom, the sooner your company will be safe.\r\n\r\nTor Browser Link:\r\n\thttp://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/\r\n\thttp://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/\r\n\r\nLink for normal browser:\r\n\thttp://incapt.su/\r\n\t\r\n-----> What guarantees are that we won't fool you?\r\nWe are not a politically motivated group and we want nothing more than money.\r\nIf you pay, we will provide you with decryption software and destroy the stolen data.\r\nAfter you pay the ransom, you will quickly restore your systems and make even more money.\r\nTreat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.\r\nOur pentest services should be paid just like you pay the salaries of your system administrators. Get over it and pay for it.\r\nIf we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.\r\nYou can get more information about us on Twitter https://twitter.com/hashtag/incransom?f=live\r\n\r\n-----> You need to contact us on TOR darknet sites with your personal ID\r\nDownload and install Tor Browser https://www.torproject.org/\r\nWrite to the chat room and wait for an answer, we'll guarantee a response from you.\r\nSometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.\r\n\r\nTor Browser Link for chat:\r\n\thttp://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/\r\n\r\nYour personal ID:\r\n\t%id%\r\n\r\n-----> Warning! Don't delete or modify encrypted files, it will lead to problems with decryption of files!\r\n-----> Don't go to the police or the FBI for help. They won't help you.\r\nThe police will try to prohibit you from paying the ransom in any way.\r\nThe first thing they will tell you is that there's no guarantee to decrypt your files and remove stolen files.\r\nThis is not true, we can do a test decryption before paying and your data will be guaranteed to be removed because it's a matter of our reputation.\r\nPaying the ransom to us is much cheaper and more profitable than paying fines and legal fees.\r\nThe police and the FBI don't care what losses you suffer as a result of our attack, and we'll help you get rid of all your problems for a modest sum of money.\r\nIf you're worried that someone will trace your bank transfers, you can easily buy cryptocurrency for cash, thus leaving no digital trail that someone from your company paid our ransom.\r\nThe police and FBI won't be able to stop lawsuits from your customers for leaking personal and private information.\r\nThe police and FBI won't protect you from repea

Multi AV Scanner detection for submitted file

Source: 1.exe	Virustotal: Detection: 73%			Perma Link
Source: 1.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.5% probability

Machine Learning detection for sample

Source: 1.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E90C0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,GetCommandLineW,CommandLineToArgvW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,ExitProcess,ExitProcess,SHEmptyRecycleBinA,GetConsoleWindow,ShowWindow,lstrlenW,lstrlenW,lstrlenW,Sleep,Sleep,Sleep,Sleep,Sleep,Sleep,	0_2_005E90C0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E5920 GetFileAttributesW,SetFileAttributesW,CreateFileW,GetFileSizeEx,CloseHandle,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,CryptGenRandom,lstrlenW,lstrlenW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyA,lstrlenW,lstrcpyW,CreateIoCompletionPort,ReadFile,InterlockedIncrement,	0_2_005E5920
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E6B30 lstrlenA,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,lstrlenA,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,	0_2_005E6B30

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1.exe	File created: C:\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\$WinREAgent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\$WinREAgent\Scratch\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\PerfLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\ARM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\dbg\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\AppV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\AppV\Setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\UserData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\Keys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\SystemKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DeviceSync\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Sideload\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Siufloc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLanding\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DRM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DRM\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\production\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\MapData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\MF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\NetFramework\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Network\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Network\Connections\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Network\Downloader\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Office\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Provisioning\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\Data\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Settings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Settings\Accounts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Spectrum\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Speech_OneCore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Storage Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\Scripts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\Templates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Vault\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WDF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Clean Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Features\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\LocalCopy\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\BackupStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\03\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\05\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Snapshots\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WwanSvc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft OneDrive\setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\vcRuntimeMinimum_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\regid.1991-06.com.microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\SoftwareDistribution\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\ssh\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\USOShared\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\USOShared\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\USOShared\Logs\User\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\WindowsHolographicDevices\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Recovery\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\.ms-ad\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\3D Objects\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Contacts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\BPMLNOBVSB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\FENIVHOIKN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\NWTVCDUMOB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\UMMBDNEQBN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\VLZDGUKUTZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\WUTJSCBCFX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\BPMLNOBVSB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\FENIVHOIKN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\NWTVCDUMOB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\UMMBDNEQBN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\VLZDGUKUTZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\WUTJSCBCFX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Favorites\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Pictures\Camera Roll\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Pictures\Saved Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Recent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Searches\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\AccountPictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Libraries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Videos\INC-README.txt	Jump to behavior

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: c:	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E49A0 Sleep,lstrcmpiW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,		0_2_005E49A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E4AE0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,Sleep,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,_wcsstr,lstrcpyW,lstrcatW,Sleep,InterlockedExchangeAdd,CreateThread,FindNextFileW,FindClose,		0_2_005E4AE0

Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Clean Store\	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Process created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Networking

Found Tor onion address

Source: 1.exe, 00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: 1.exe, 00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: 1.exe, 00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: 1.exe, 00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: 1.exe, 00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: 1.exe, 00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span>
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span>
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span>
Source: 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt59.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt59.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt59.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt110.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt110.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt110.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt85.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt85.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt85.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt16.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt16.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt16.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt103.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt103.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt103.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt49.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt49.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt49.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt71.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt71.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt71.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt56.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt56.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt56.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt30.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt30.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt30.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt74.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt74.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt74.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt46.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt46.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt46.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt47.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt47.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt47.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt96.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt96.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt96.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt84.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt84.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt84.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt123.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt123.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt123.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt53.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt53.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt53.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt111.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt111.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt111.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: INC-README.txt127.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: INC-README.txt127.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: INC-README.txt127.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/

Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://b.c2r.ts.cdn.office.net/prcom
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.1995444794.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr	String found in binary or memory: http://incapt.su/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr, INC-README.txt123.0.dr	String found in binary or memory: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr, INC-README.txt123.0.dr	String found in binary or memory: http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr, INC-README.txt123.0.dr	String found in binary or memory: http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glidesD
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://weather.service.msn.com/data.aspxd
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/download6
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/app/downloadG
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953968413.0000022B0DB6D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticatedV
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticatedF
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/apps/removeMBI_SSL_SHORTmsm-auth.store.office.comx
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removeP
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953968413.0000022B0DB6D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/queryl
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2103916753.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2127301114.0000022AF661C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF662B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102877552.0000022AF6629000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081468661.0000022AF6621000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599838291.0000022AF662C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2107201916.0000022AF6628000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analysis.windows.net/powerbi/apiion
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech#
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.com/G
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.aadrm.comG
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.omex.office.net/appstate/queryk
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.office.com/app/queryo
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplateS
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.cortana.ais
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnostics.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedbackqB2H
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file49CHa
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/fileS9
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.microsoftstream.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.microsoftstream.com/api/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF6300000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2611338708.0000022AF6319000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598719826.0000022AF6302000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603899197.0000022AF647B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2596619254.0000022AF62CF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.netc
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.netk
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.office.netw
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953448954.0000022B0C9AB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api~
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.onedrive.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups/8
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports&8QK?
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.scheduler.
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.live.net/v5.0/
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000003.2123736524.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2103916753.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2127301114.0000022AF661C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF662B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102877552.0000022AF6629000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081468661.0000022AF6621000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599838291.0000022AF662C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2107201916.0000022AF6628000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://app.powerbi.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/OneNoteBulletinshttps://
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/oft/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com/v2
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598719826.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105705511.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603280305.0000022AF632D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601131255.0000022AF6327000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605002180.0000022AF6340000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102671803.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953789510.0000022B0DB00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049784861.0000022B0DA4E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614075408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124370808.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102321026.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602490996.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600925735.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2596997411.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606781408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615348993.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104409697.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2610910720.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlfK
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canary.designerapp.
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-module
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-moduleDJ#J
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontsF
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assetsJK5K/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-stringsP
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen2I
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.designerapp.osi.office.net2m
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.entity.
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953236141.0000022B0C923000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts)A
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://client-office365-tas.msedge.net/abb9mH
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryG
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiesf
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policiess
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios08_K=
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954517360.0000022B0EEEA000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx1
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consentsP
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cortana.ai/api
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cortana.ai/apiW
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cortana.aietl
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cr.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cr.office.comW
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cr.office.comeK
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.docs.live.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.docs.live.netK
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/6n
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileC
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileI
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2955098116.0000022B0F043000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerapp.azurewebsites.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerapp.azurewebsites.netTmYKH
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2103916753.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2127301114.0000022AF661C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF662B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102877552.0000022AF6629000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081468661.0000022AF6621000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599838291.0000022AF662C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2107201916.0000022AF6628000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2123736524.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2103916753.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2127301114.0000022AF661C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF662B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102877552.0000022AF6629000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081468661.0000022AF6621000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599838291.0000022AF662C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2107201916.0000022AF6628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://designerappservice.officeapps.live.com6-
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/f
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev0-api.acompli.net/autodetectjn
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.comBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.comMBI_SSL_SHORT
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://devnull.onenote.comt
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://directory.services.
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Office&DestinationEndpoint=Edge-Prod-EWR30&FrontEnd=AFD
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF6551000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF6551000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6551000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6551000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6551000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6551000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102671803.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16827.20130/Production/CC?&EcsCanary=1
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954830460.0000022B0EFC0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/rps
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://edge.skype.com/rpst
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1t
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1f
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtmlb
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechM
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechs
Source: OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602646631.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067166489.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/%sFirstPartyAppQueryhttps://fpastorage.cdn.office.net/firstpartyap
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/%sHl=J
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xmlz
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.ppe.windows.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.ppe.windows.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://graph.windows.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616836666.0000022AF4654000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.comnfig.Excel
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.comnfig.Outlookfor
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616836666.0000022AF4654000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.comnfig.System
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616836666.0000022AF4654000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubble.officeapps.live.comnfig.TextM
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/0
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1Jf
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=iconscrev=3W
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideosk
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideoss
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ic3.teams.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnostics.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.comN9
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incidents.diagnosticssdf.office.comeA9
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/client5
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientP
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://inclient.store.office.com/gyro/clientstoreK
Source: OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602646631.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067166489.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingL
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bingr
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FacebookO
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953789510.0000022B0DB00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://invites.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechX
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifecycle.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lifecycle.office.comCd%J
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/25
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.comPI8h
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6A8F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049784861.0000022B0DA4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize6
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local$
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598719826.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105705511.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603280305.0000022AF632D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF6325000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize#
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize&
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize1
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize1A
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize1G
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize3
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize9B
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize9G
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorize;
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeA
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeAA
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeAB
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeK
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeQARK7
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeQBRHW
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeV
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeYA
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeYB
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeaA
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeaC
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizec
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizei
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeiA
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeiC
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeize#
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizek
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizent
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeqA2K;
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizes
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizetInfo
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizete
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizetinfo
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizetinfo&
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizey
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeyA
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/common/oauth2/authorizeyB
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1MBI_SSL_SHORT
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://make.powerautomate.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.azure.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.azure.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EED6000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2379238389.0000022B0EED6000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://management.core.windows.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft;
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setcampaignactionMBI_SSL_SHORTmessaging.action.office.comBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16MBI_SSL_SHORTmessaging.action.office.comBearer
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16SendAutoRenewActionhttps://
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.action.office.com/setuseraction16c
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregatorMBI_SSL_SHORTmessaging.engagement.
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage165
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16MBI_SSL_SHORTmessaging.lifecycle.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16StoreUserStatushttps://odc.
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16Z
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16t
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://messaging.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log;
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mss.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.microsoftpersonalcontent.com&h
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://my.microsoftpersonalcontent.comli
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeecha
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechd
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954517360.0000022B0EEEA000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncus.contentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2955098116.0000022B0F043000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncus.pagecontentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Registerd
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordN
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell3
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.netk9fH
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/K:
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com4
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com5b
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comApc
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comDd
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comEur:e
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comKc=M
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comNam
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comNamqe7K
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comPcVM
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comRdTJ$
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comW
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comY
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com_cQM
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comfe
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comk
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.commb
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comood
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comr
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.coms
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comux
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comvc8M
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.comvf8H
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officeci.azurewebsites.net/api/Jm;KM
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksv
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officepyservice.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officepyservice.office.net/rd;=pI
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/yC
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities0
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdatedhf
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/embed?
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/embed?i
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.azureedge.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049784861.0000022B0DA4E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614075408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124370808.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102321026.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602490996.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600925735.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2596997411.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606781408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615348993.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104409697.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2610910720.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953789510.0000022B0DB00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049784861.0000022B0DA4E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.comU
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office.comeAPI
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614075408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124370808.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102321026.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602490996.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600925735.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2596997411.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606781408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615348993.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/ActivitiesIA:K:
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonF
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonG
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/connectors
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/connectorsf:
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.office365.com/connectorsssp:
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/1B
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=OutlookMBI_SSL_SHORT
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/review/query
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/review/queryTemplateStarthttps://
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/review/queryrd
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxC
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspxS
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://planner.cloud.microsoft
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600894712.0000022AF6AA7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerlift.acompli.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosj
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pushchannel.1drv.ms
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pushchannel.1drv.msLiveOAuthLoginStarthttps://login.
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pushchannel.1drv.msS
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.cdn.office.netPI
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6A8F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6A8F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://service.powerapps.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings.outlook.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shell.suite.office.com:1443
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skyapi.live.net/Activity/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://staging.cortana.ai
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EED6000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2379238389.0000022B0EED6000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://storage.azure.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocationInfo
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.office.cn/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.office.cn/addinstemplate0j
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.office.de/addinstemplate
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com-f
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/M365.Access
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/Todo-Internal.ReadWrite
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistoryf
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.com/search/api/v2/init_8
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comLf
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comP
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://substrate.office.comhZf
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://syncservice.o365syncservice.com/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://syncservice.o365syncservice.com/"
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tellmeservice.osi.office.netst
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954830460.0000022B0EFC0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://templatesmetadata.office.net/
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://templatesmetadata.office.net/4h
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://templatesmetadata.office.net/h
Source: 1.exe, 00000000.00000002.1995444794.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/hashtag/incransom?f=liv
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr, INC-README.txt123.0.dr	String found in binary or memory: https://twitter.com/hashtag/incransom?f=live
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/F
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/G
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.htmlU
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com$
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com1U=yN
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com=
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devicesP
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.microsoftstream.com/video/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/6
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webshell.suite.office.com
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://webshell.suite.office.comLh
Source: OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067166489.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios$I
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wus2.contentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2955098116.0000022B0F043000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wus2.pagecontentsync.
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA24c
Source: OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2nb
Source: OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.odwebp.svc.ms
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.1995444794.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr	String found in binary or memory: https://www.torproject.org/
Source: OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.yammer.com

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E6790 GetTempPathW,lstrcatW,lstrlenA,lstrlenA,lstrcpyA,CreateFontW,GetDC,CreateCompatibleDC,SelectObject,lstrlenA,GetTextExtentPoint32A,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetTextColor,SetBkMode,SetBkColor,lstrlenA,DrawTextA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,ReleaseDC,CreateFileW,WriteFile,WriteFile,WriteFile,WriteFile,CloseHandle,DeleteObject,DeleteObject,DeleteDC,DeleteObject,RegOpenKeyW,lstrlenW,RegSetValueExW,RegCloseKey,SystemParametersInfoW,

0_2_005E6790

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\INC-README.html

Dropped file: <html><head><title>INC Ransom</title></head><body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;"><div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;"><div style="width: 80%;"> <div style="display: flex; flex-direction: column;"> <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span> <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span> <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Blog Link for normal browser:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incapt.su/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">You need to contact us on TOR darknet sites with your personal ID</span> <span style="font-size: 14px; margin-top: 8px;">Download and install Tor Browser https://www.torproject.org/</span> <span style="font-size: 14px; margin-top: 8px;">Write to the chat room and wait for an answer, we'll guarantee a response from you.</span> <span style="font-size: 14px; margin-top: 8px;">Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span style="font-size: 20px; font-weight: 600;">Chat Tor Browser Link:</span> <span style="font-size: 14px; margin-top: 8px; text-decoration: underline;">http://incpaykabjqc2mtdxq6c23nqh4x6m5dkps5fr6vgdkgzp5njssx6qkid.onion/</span> </div> <div style="display: flex; flex-direction: column; margin-top: 16px;"> <span

Jump to dropped file

Yara detected INC Ransomware

Source: Yara match	File source: 1.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.1992603027.00000000005FB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1691485279.00000000005FB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1988738388.0000000004B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1991840757.0000000004B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1995444794.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7412, type: MEMORYSTR

Changes the wallpaper picture

Source: C:\Users\user\Desktop\1.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Users\user\AppData\Local\Temp\\background-image.jpg

Jump to behavior

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\1.exe

0_2_005E6790

Found potential ransomware demand text

Source: 1.exe, 00000000.00000003.1981864414.0000000004B50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: 1.exe, 00000000.00000003.1976846394.0000000001447000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: 1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html22.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt59.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt110.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt85.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt16.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html89.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html2.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt103.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt49.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt71.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt56.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html30.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt30.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt74.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt46.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt47.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt96.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt84.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt123.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html25.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html94.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html62.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html9.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt53.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.txt111.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html79.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.txt127.0.dr	String found in binary or memory : -----> Your data is stolen and encrypted.
Source: INC-README.html8.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>
Source: INC-README.html132.0.dr	String found in binary or memory : <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\1.exe	File moved: C:\Users\user\Desktop\UMMBDNEQBN.xlsx	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File moved: C:\Users\user\Desktop\VLZDGUKUTZ\DVWHKMNFNN.png	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File moved: C:\Users\user\Desktop\VLZDGUKUTZ.docx	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File moved: C:\Users\user\Desktop\UMMBDNEQBN\ZBEDCJPBEY.mp3	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File moved: C:\Users\user\Desktop\VLZDGUKUTZ\HTAGVDFUIE.jpg	Jump to behavior

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\1.exe	File dropped: C:\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\$WinREAgent\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\$WinREAgent\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\$WinREAgent\Scratch\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\$WinREAgent\Scratch\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\PerfLogs\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\PerfLogs\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\ProgramData\INC-README.html -> decryption software and destroy the stolen data.</span> <span style="font-size: 14px; margin-top: 8px;">after you pay the ransom, you will quickly restore your systems and make even more money.</span> <span style="font-size: 14px; margin-top: 8px;">treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.</span> <span style="font-size: 14px; margin-top: 8px;">our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.</span> <span style="font-size: 14px; margin-top: 8px;">if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.</span> <span style="font-size: 14px; margin-top: 8px;">you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=li	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File dropped: C:\ProgramData\INC-README.txt -> decryption software and destroy the stolen data.after you pay the ransom, you will quickly restore your systems and make even more money.treat this situation simply as a paid training for your system administrators, because it is due to your corporate network not being properly configured that we were able to attack you.our pentest services should be paid just like you pay the salaries of your system administrators. get over it and pay for it.if we don't give you a decryptor or delete your data after you pay, no one will pay us in the future.you can get more information about us on twitter https://twitter.com/hashtag/incransom?f=live-----> you need to contact us on tor darknet sites with your personal iddownload and install tor browser https://www.torproject.org/write to the chat room and wait for an answer, we'll guarantee a response from you.sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack tens of companies around the world.	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpAsDesc.dll.mui entropy: 7.99696667294	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpEvMsg.dll.mui entropy: 7.99645627577	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\mpuxagent.dll.mui entropy: 7.99339359832	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\mpuxagent.dll.mui entropy: 7.99429008098	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\mpuxagent.dll.mui entropy: 7.99382286688	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpEvMsg.dll.mui entropy: 7.99657963554	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpAsDesc.dll.mui entropy: 7.99732860738	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpAsDesc.dll.mui entropy: 7.9968968194	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpEvMsg.dll.mui entropy: 7.99704010335	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.lkg entropy: 7.99998773595	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.lkg entropy: 7.9998790694	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.lkg entropy: 7.99997296745	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.lkg entropy: 7.99980885661	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.lkg entropy: 7.99994421182	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm entropy: 7.999973525	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm entropy: 7.99940762636	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm entropy: 7.99970117135	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm entropy: 7.99997528877	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavbase.vdm entropy: 7.99997759051	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasdlta.vdm entropy: 7.99982817449	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavdlta.vdm entropy: 7.99802592141	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log entropy: 7.99749932886	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log entropy: 7.99691298145	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log entropy: 7.99722343922	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00003.log entropy: 7.99712791375	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs entropy: 7.99726132127	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl entropy: 7.99923723405	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs entropy: 7.99673246863	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log entropy: 7.99714531606	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db entropy: 7.99811226329	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db entropy: 7.99895143643	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasbase.vdm entropy: 7.99998534858	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\mpuxagent.dll.mui entropy: 7.99467159866	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml entropy: 7.99275610352	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml entropy: 7.99227120705	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat entropy: 7.99969555481	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml entropy: 7.99198308613	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db entropy: 7.99292426219	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\mpuxagent.dll.mui entropy: 7.99126558599	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml entropy: 7.99754377	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\mpuxagent.dll.mui entropy: 7.99341927918	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\MpAsDesc.dll.mui entropy: 7.99690832496	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml entropy: 7.9997952419	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\mpuxagent.dll.mui entropy: 7.99344774576	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml entropy: 7.99825897611	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml entropy: 7.99760678634	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man entropy: 7.99803732013	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\mpuxagent.dll.mui entropy: 7.99295645982	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\mpuxagent.dll.mui entropy: 7.99319838999	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml entropy: 7.99735993834	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\MpAsDesc.dll.mui entropy: 7.99736069367	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml entropy: 7.99752444333	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\mpuxagent.dll.mui entropy: 7.99260919802	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml entropy: 7.99646263593	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml entropy: 7.99676651953	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\mpuxagent.dll.mui entropy: 7.99444119306	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\MpAsDesc.dll.mui entropy: 7.99687137763	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml entropy: 7.99693627484	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\mpuxagent.dll.mui entropy: 7.994703601	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml entropy: 7.99713086552	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db entropy: 7.99292687039	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\mpuxagent.dll.mui entropy: 7.99416135308	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\IGD.CAT entropy: 7.99482483019	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl entropy: 7.99977395574	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl entropy: 7.99977251701	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl entropy: 7.99935416575	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png entropy: 7.99879761725	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl entropy: 7.99911399234	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png entropy: 7.99529954679	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png entropy: 7.99268051606	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png entropy: 7.99485820279	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png entropy: 7.99872512414	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png entropy: 7.99337468162	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp entropy: 7.9996623955	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log entropy: 7.99946005195	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico entropy: 7.99649093137	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico entropy: 7.99319042852	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp entropy: 7.99974468972	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico entropy: 7.99750898568	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico entropy: 7.99619067815	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico entropy: 7.99691841952	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico entropy: 7.99639374877	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml entropy: 7.99396504479	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat entropy: 7.99788795388	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db entropy: 7.99961362504	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico entropy: 7.99877121149	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico entropy: 7.99682715792	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico entropy: 7.99680349417	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico entropy: 7.99688601347	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat entropy: 7.99981706519	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml entropy: 7.99428326759	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico entropy: 7.99641768491	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico entropy: 7.9966445914	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico entropy: 7.99709021709	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico entropy: 7.99708046967	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db entropy: 7.99537350828	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.dat.cat entropy: 7.99972043738	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man entropy: 7.99954816326	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml entropy: 7.99729306058	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml entropy: 7.99657344351	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json entropy: 7.99893221619	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk entropy: 7.99872633177	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml entropy: 7.99895154882	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml entropy: 7.99414444526	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml entropy: 7.99800428917	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml entropy: 7.99099916886	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml entropy: 7.99934073882	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml entropy: 7.9985226623	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml entropy: 7.99835320643	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json entropy: 7.99822732379	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk entropy: 7.99826059047	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml entropy: 7.99807972496	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml entropy: 7.99825350454	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml entropy: 7.99860630266	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml entropy: 7.99337312203	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\MasterDescriptor.en-us.xml.INC (copy) entropy: 7.99396504479	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.dat.cat.INC (copy) entropy: 7.99788795388	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.db.INC (copy) entropy: 7.99961362504	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\MasterDescriptor.x-none.xml.INC (copy) entropy: 7.99428326759	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\stream.x86.en-us.man.dat.INC (copy) entropy: 7.99981706519	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.dat.cat.INC (copy) entropy: 7.99972043738	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\stream.x86.x-none.db.INC (copy) entropy: 7.99537350828	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99729306058	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml.INC (copy) entropy: 7.99099916886	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.INC (copy) entropy: 7.99414444526	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml.INC (copy) entropy: 7.99657344351	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99895154882	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99800428917	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.INC (copy) entropy: 7.9985226623	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml.INC (copy) entropy: 7.99934073882	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.INC (copy) entropy: 7.99954816326	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99835320643	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml.INC (copy) entropy: 7.99825350454	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.INC (copy) entropy: 7.99337312203	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99807972496	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99860630266	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.INC (copy) entropy: 7.99275610352	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.INC (copy) entropy: 7.99227120705	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.INC (copy) entropy: 7.99198308613	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99754377	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.99825897611	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.INC (copy) entropy: 7.99760678634	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.INC (copy) entropy: 7.9997952419	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.INC (copy) entropy: 7.99803732013	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.INC (copy) entropy: 7.99879761725	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.INC (copy) entropy: 7.99529954679	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.INC (copy) entropy: 7.99268051606	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.INC (copy) entropy: 7.99485820279	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.INC (copy) entropy: 7.99872512414	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.INC (copy) entropy: 7.99337468162	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico.INC (copy) entropy: 7.99649093137	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\netfol.ico.INC (copy) entropy: 7.99319042852	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico.INC (copy) entropy: 7.99750898568	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ringtones.ico.INC (copy) entropy: 7.99619067815	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\settings.ico.INC (copy) entropy: 7.99691841952	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\sync.ico.INC (copy) entropy: 7.99639374877	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\wmp.ico.INC (copy) entropy: 7.99877121149	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico.INC (copy) entropy: 7.99682715792	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico.INC (copy) entropy: 7.99680349417	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico.INC (copy) entropy: 7.99688601347	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico.INC (copy) entropy: 7.99641768491	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_.ico.INC (copy) entropy: 7.9966445914	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_property.ico.INC (copy) entropy: 7.99709021709	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\scan_settings.ico.INC (copy) entropy: 7.99708046967	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.INC (copy) entropy: 7.99893221619	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk.INC (copy) entropy: 7.99872633177	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.INC (copy) entropy: 7.99822732379	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk.INC (copy) entropy: 7.99826059047	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.INC (copy) entropy: 7.99923723405	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.INC (copy) entropy: 7.99811226329	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.INC (copy) entropy: 7.99292426219	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.INC (copy) entropy: 7.99292687039	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl.INC (copy) entropy: 7.99977395574	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl.INC (copy) entropy: 7.99911399234	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl.INC (copy) entropy: 7.99935416575	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl.INC (copy) entropy: 7.99977251701	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log.INC (copy) entropy: 7.99946005195	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00001.log.INC (copy) entropy: 7.99691298145	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00002.log.INC (copy) entropy: 7.99722343922	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb.log.INC (copy) entropy: 7.99749932886	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edb00003.log.INC (copy) entropy: 7.99712791375	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00001.jrs.INC (copy) entropy: 7.99726132127	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbres00002.jrs.INC (copy) entropy: 7.99673246863	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\edbtmp.log.INC (copy) entropy: 7.99714531606	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.INC (copy) entropy: 7.99895143643	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Storage Health\StorageHealthModel.dat.INC (copy) entropy: 7.99969555481	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win32.xml.INC (copy) entropy: 7.99735993834	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2010Win64.xml.INC (copy) entropy: 7.99752444333	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win32.xml.INC (copy) entropy: 7.99646263593	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2013Win64.xml.INC (copy) entropy: 7.99676651953	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win32.xml.INC (copy) entropy: 7.99693627484	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016Win64.xml.INC (copy) entropy: 7.99713086552	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.INC (copy) entropy: 7.9996623955	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.INC (copy) entropy: 7.99974468972	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.lkg.INC (copy) entropy: 7.99980885661	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.lkg.INC (copy) entropy: 7.9998790694	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsDlta.vdm.INC (copy) entropy: 7.99940762636	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvDlta.vdm.INC (copy) entropy: 7.99970117135	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasdlta.vdm.INC (copy) entropy: 7.99982817449	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavdlta.vdm.INC (copy) entropy: 7.99802592141	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\mpuxagent.dll.mui.INC (copy) entropy: 7.99467159866	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\mpuxagent.dll.mui.INC (copy) entropy: 7.99126558599	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\mpuxagent.dll.mui.INC (copy) entropy: 7.99341927918	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.lkg.INC (copy) entropy: 7.99994421182	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\MpAsDesc.dll.mui.INC (copy) entropy: 7.99690832496	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99344774576	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\mpuxagent.dll.mui.INC (copy) entropy: 7.99295645982	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\mpuxagent.dll.mui.INC (copy) entropy: 7.99319838999	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\MpAsDesc.dll.mui.INC (copy) entropy: 7.99736069367	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\mpuxagent.dll.mui.INC (copy) entropy: 7.99260919802	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\mpuxagent.dll.mui.INC (copy) entropy: 7.99444119306	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\MpAsDesc.dll.mui.INC (copy) entropy: 7.99687137763	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\mpuxagent.dll.mui.INC (copy) entropy: 7.99416135308	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\IGD.CAT.INC (copy) entropy: 7.99482483019	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.lkg.INC (copy) entropy: 7.99997296745	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\mpuxagent.dll.mui.INC (copy) entropy: 7.994703601	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpAsDesc.dll.mui.INC (copy) entropy: 7.99732860738	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpAsDesc.dll.mui.INC (copy) entropy: 7.9968968194	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpEvMsg.dll.mui.INC (copy) entropy: 7.99704010335	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\mpuxagent.dll.mui.INC (copy) entropy: 7.99382286688	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\mpuxagent.dll.mui.INC (copy) entropy: 7.99339359832	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAsBase.vdm.INC (copy) entropy: 7.999973525	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpEvMsg.dll.mui.INC (copy) entropy: 7.99645627577	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\mpuxagent.dll.mui.INC (copy) entropy: 7.99429008098	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\MpEvMsg.dll.mui.INC (copy) entropy: 7.99657963554	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\MpAvBase.vdm.INC (copy) entropy: 7.99997528877	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpAsDesc.dll.mui.INC (copy) entropy: 7.99696667294	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpavbase.vdm.INC (copy) entropy: 7.99997759051	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.lkg.INC (copy) entropy: 7.99998773595	Jump to dropped file
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\mpasbase.vdm.INC (copy) entropy: 7.99998534858	Jump to dropped file

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E4E00: CreateFileW,GetLastError,DeviceIoControl,GetLastError,CloseHandle,

0_2_005E4E00

Source: C:\Users\user\Desktop\1.exe	Code function: lstrcmpiW,lstrcpyW,GetModuleHandleW,GetModuleFileNameW,lstrcpyW,lstrcatW,lstrcatW,OpenSCManagerW,CreateServiceW,GetLastError,GetLastError,GetLastError,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Wow64DisableWow64FsRedirection,CreateProcessW,CreateProcessW,GetLastError,CreateProcessW, shutdown.exe -r		0_2_005E8D50
Source: C:\Users\user\Desktop\1.exe	Code function: lstrcmpiW,lstrcpyW,GetModuleHandleW,GetModuleFileNameW,lstrcpyW,lstrcatW,lstrcatW,OpenSCManagerW,CreateServiceW,GetLastError,GetLastError,GetLastError,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Wow64DisableWow64FsRedirection,CreateProcessW,CreateProcessW,GetLastError,CreateProcessW, C:\Windows\system32\shutdown.exe		0_2_005E8D50

Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\system32\spool\PRINTERS\00002.SPL	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\system32\spool\PRINTERS\00003.SPL	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Windows\system32\spool\PRINTERS\00004.SPL	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005F987C	0_2_005F987C
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E74E0	0_2_005E74E0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005EC540	0_2_005EC540
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E1110	0_2_005E1110
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005F5120	0_2_005F5120
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005F55CE	0_2_005F55CE
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E2DE0	0_2_005E2DE0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E8990	0_2_005E8990
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005EC76F	0_2_005EC76F

Source: C:\Users\user\Desktop\1.exe

Code function: String function: 005E4800 appears 35 times

Source: 1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: onenoteim.exe, 0000000E.00000002.2953386238.0000022B0C992000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: @psCOM@T;..VBPd

Source: classification engine

Classification label: mal100.rans.expl.evad.winEXE@7/738@0/0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E71E0 SetNamedSecurityInfoW,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,

0_2_005E71E0

Source: C:\Users\user\Desktop\1.exe

Code function: lstrcmpiW,lstrcpyW,GetModuleHandleW,GetModuleFileNameW,lstrcpyW,lstrcatW,lstrcatW,OpenSCManagerW,CreateServiceW,GetLastError,GetLastError,GetLastError,GetLastError,RegCreateKeyExW,RegSetValueExW,RegSetValueExW,RegCloseKey,RegCloseKey,RegCreateKeyExW,RegSetValueExW,RegCloseKey,Wow64DisableWow64FsRedirection,CreateProcessW,CreateProcessW,GetLastError,CreateProcessW,

0_2_005E8D50

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E7110 CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,_wcsstr,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

0_2_005E7110

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005EBD23 LockResource,

0_2_005EBD23

Source: C:\Users\user\Desktop\1.exe

File created: C:\Users\INC-README.html

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03

Source: C:\Users\user\Desktop\1.exe

File created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.html

Jump to behavior

Source: 1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1.exe	Virustotal: Detection: 73%
Source: 1.exe	ReversingLabs: Detection: 78%

Source: 1.exe	String found in binary or memory: --helpDisplay this message
Source: 1.exe	String found in binary or memory: --helpDisplay this message
Source: 1.exe	String found in binary or memory: --help
Source: 1.exe	String found in binary or memory: --help
Source: 1.exe	String found in binary or memory: --helpDisplay this message
Source: 1.exe	String found in binary or memory: --helpDisplay this message
Source: 1.exe	String found in binary or memory: --helpDisplay this message
Source: 1.exe	String found in binary or memory: --helpDisplay this message
Source: 1.exe	String found in binary or memory: shutdown.exe -rC:\Windows\system32\shutdown.exe--file--dir--sup--ens--lhd--debug--kill--help--hide--mode[*] Count of arguments: %d
Source: 1.exe	String found in binary or memory: shutdown.exe -rC:\Windows\system32\shutdown.exe--file--dir--sup--ens--lhd--debug--kill--help--hide--mode[*] Count of arguments: %d

Source: unknown	Process created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
Source: C:\Users\user\Desktop\1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE /insertdoc "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\{AF3AB8FA-AD7A-49AB-B8F2-82D9D57E4E04}.xps" 133787363258030000
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe "C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe" -ServerName:microsoft.onenoteim.AppXxqb9ypsz6cs1w07e1pmjy4ww4dy9tpqr.mca
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE	Process created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe OfficeC2RClient.exe /error PID=7504 ProcessName="Microsoft OneNote" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x800c0006 ShowUI=1	Jump to behavior

Source: C:\Users\user\Desktop\1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: print.printsupport.source.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	Section loaded: prnfldr.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxst30.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsroute.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: apphelp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msoimm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso98imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso40uiimm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso30imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: oneclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: onmainim.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: concrt140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso50imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso50imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: office.ui.xaml.onenote.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: react.uwp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: chakra.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: icuuc.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: icuin.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: icu.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: logoncli.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: netutils.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: userenv.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: profext.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.profile.retailinfo.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.remotedesktop.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: winsta.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.profile.systemid.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: clipc.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: office.ui.xaml.core.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wininet.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: sspicli.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: winhttp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mswsock.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: winnsi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.applicationmodel.lockscreen.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: wincorlib.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: lockappbroker.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msvcp110_win.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: powrprof.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: umpdc.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: schannel.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: webservices.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: vaultcli.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.networking.hostname.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.energy.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: aadwamextension.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.web.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: windows.applicationmodel.store.dll
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Section loaded: cabinet.dll

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTE.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: 1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E6C70 LoadLibraryW,GetProcAddress,

0_2_005E6C70

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E9FD6 push ecx; ret

0_2_005E9FE9

Source: 1.exe

Binary or memory string: ServiceSYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmksvcSYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmksvcbcdedit.exe /set {default} safeboot networkC:\Windows\system32\bcdedit.exe[-] Failed to enter safe mode! %d

Source: C:\Users\user\Desktop\1.exe	File created: C:\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\$WinREAgent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\$WinREAgent\Scratch\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\PerfLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\ARM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\dbg\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\AppV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\AppV\Setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\en-us.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\AAD0B0DB-711A-45EF-A013-BDD28531EC08\x-none.16\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\UserData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\Keys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\PCPKSP\WindowsAIK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Crypto\SystemKeys\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DeviceSync\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\CustomTraceProfiles\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\Autologger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\EventTranscript\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\FeedbackHub\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Sideload\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Siufloc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLanding\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\SoftLandingStage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Channels\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\DeviceStateData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DRM\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\DRM\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\EdgeUpdate\Log\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\INT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\IdentityCRL\production\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\MapData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\MF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\NetFramework\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Network\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Network\Connections\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Network\Downloader\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Office\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Provisioning\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\Data\Applications\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Search\Data\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Settings\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Settings\Accounts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Spectrum\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Speech_OneCore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Storage Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\InboxTemplates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\Scripts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\UEV\Templates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\User Account Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Vault\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WDF\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Clean Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{744D5067-632F-490D-A7F8-522F3DDB7ACB}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Features\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\LocalCopy\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ka-GE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kk-KZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\km-KH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kn-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ko-KR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\kok-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lb-LU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lo-LA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lt-LT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\lv-LV\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mi-NZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mk-MK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ml-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ms-MY\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nb-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nn-NO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\or-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pa-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\quz-PE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ro-RO\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\E3\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\BackupStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\00\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\03\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\05\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Snapshots\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender\Support\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\Windows Security Health\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WinMSIPC\Server\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft\WwanSvc\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Microsoft OneDrive\setup\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\vcRuntimeMinimum_amd64\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\Helium\Cache\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\S-1-5-21-2246122658-3693405117-2476756634-1002\SystemAppData\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1001\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\S-1-5-21-2246122658-3693405117-2476756634-1002\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\regid.1991-06.com.microsoft\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\SoftwareDistribution\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\ssh\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\USOShared\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\USOShared\Logs\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\USOShared\Logs\User\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\WindowsHolographicDevices\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\ProgramData\WindowsHolographicDevices\SpatialStore\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Recovery\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Default\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\.ms-ad\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\3D Objects\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Contacts\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\BPMLNOBVSB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\FENIVHOIKN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\NWTVCDUMOB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\UMMBDNEQBN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\VLZDGUKUTZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Desktop\WUTJSCBCFX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\BPMLNOBVSB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\FENIVHOIKN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\NWTVCDUMOB\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\UMMBDNEQBN\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\VLZDGUKUTZ\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Documents\WUTJSCBCFX\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Favorites\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Favorites\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Links\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\OneDrive\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Pictures\Camera Roll\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Pictures\Saved Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Recent\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Saved Games\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Searches\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\user\Videos\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\AccountPictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Desktop\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Documents\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Downloads\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Libraries\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Music\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Pictures\INC-README.txt	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File created: C:\Users\Public\Videos\INC-README.txt	Jump to behavior

Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\1.exe

Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,GetLastError,GetLastError,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,

0_2_005E6F70

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E49A0 Sleep,lstrcmpiW,lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,FindNextFileW,FindClose,		0_2_005E49A0
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E4AE0 lstrcpyW,lstrcatW,FindFirstFileW,lstrcmpiW,Sleep,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpiW,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,_wcsstr,lstrcpyW,lstrcatW,Sleep,InterlockedExchangeAdd,CreateThread,FindNextFileW,FindClose,		0_2_005E4AE0

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E56A0 GetSystemInfo,CreateIoCompletionPort,CreateThread,CreateThread,

0_2_005E56A0

Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\	Jump to behavior
Source: C:\Users\user\Desktop\1.exe	File opened: C:\ProgramData\Microsoft\Windows Defender\Clean Store\	Jump to behavior

Source: operations.db.0.dr	Binary or memory string: PXA5AScIvMCImrQWnUlK4F/6o1LRBi5HHuZNpAnWxvI=+
Source: OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2596619254.0000022AF62CF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: onenoteim.exe, 0000000E.00000002.2953236141.0000022B0C923000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005EF4C6 lstrcmpiW,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005EF4C6

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E6C70 LoadLibraryW,GetProcAddress,

0_2_005E6C70

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005EE0A3 mov eax, dword ptr fs:[00000030h]

0_2_005EE0A3

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005F36C0 GetProcessHeap,

0_2_005F36C0

Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005EF4C6 lstrcmpiW,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005EF4C6
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E9DB7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005E9DB7
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E9ED2 SetUnhandledExceptionFilter,	0_2_005E9ED2
Source: C:\Users\user\Desktop\1.exe	Code function: 0_2_005E96E5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005E96E5

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E7280 AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,SetNamedSecurityInfoW,GetCurrentProcess,OpenProcessToken,SetNamedSecurityInfoW,SetNamedSecurityInfoW,FreeSid,LocalFree,CloseHandle,

0_2_005E7280

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E9FED cpuid

0_2_005E9FED

Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST82E.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST82F.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation

Source: C:\Users\user\Desktop\1.exe

Code function: 0_2_005E9CA6 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005E9CA6

Source: C:\Users\user\Desktop\1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 1.exe, 00000000.00000003.1880095627.0000000004BA1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Windows Service	1 Access Token Manipulation	2 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	1 Proxy	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Windows Service	1 DLL Side-Loading	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	1 Defacement
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Process Injection	11 Masquerading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Access Token Manipulation	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Process Injection	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Bootkit	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1.exe	74%	Virustotal		Browse
1.exe	79%	ReversingLabs	Win32.Ransomware.Raninc
1.exe	100%	Avira	TR/AVI.RansomX.xjhey
1.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://messagebroker.mobile.m365.svc.cloud.microsoft;	0%	Avira URL Cloud	safe
https://api.cortana.ais	0%	Avira URL Cloud	safe
https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em	0%	Avira URL Cloud	safe
https://api.aadrm.comG	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/6n	0%	Avira URL Cloud	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechM	0%	Avira URL Cloud	safe
https://login.microsoftonline.comPI8h	0%	Avira URL Cloud	safe
https://my.microsoftpersonalcontent.com&h	0%	Avira URL Cloud	safe
https://syncservice.o365syncservice.com/	0%	Avira URL Cloud	safe
https://d.docs.live.netK	0%	Avira URL Cloud	safe
https://officepyservice.office.net/rd;=pI	0%	Avira URL Cloud	safe
https://pushchannel.1drv.msLiveOAuthLoginStarthttps://login.	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.net/common/oauth2/authorize1A	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows-ppe.net/common/oauth2/authorize6	OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	false		high
https://shell.suite.office.com:1443	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorize1G	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dataservice.o365filtering.com/6n	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://designerapp.azurewebsites.net	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.aadrm.comG	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://officeci.azurewebsites.net/api/Jm;KM	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover-s.outlook.com/	OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614075408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124370808.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102321026.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602490996.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600925735.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2596997411.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606781408.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615348993.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104409697.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2610910720.0000022AF65E3000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2953758287.0000022B0DA55000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954898044.0000022B0EFDF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://useraudit.o365auditrealtimeingestion.manage.office.com	OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/connectors	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049581588.0000022B0DA1A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.entity.	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeAA	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messagebroker.mobile.m365.svc.cloud.microsoft;	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6A8F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeAB	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lookup.onenote.com/lookup/geolocation/v1	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.torproject.org/	1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.1995444794.0000000004BB2000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloudfiles.onenote.com/upload.aspxOneNoteCloudFilesConsumerEmbedhttps://onedrive.live.com/em	OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.aadrm.com/	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064175577.0000022AF65E0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messaging.lifecycle.office.com/getcustommessage16t	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://canary.designerapp.	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.cortana.ais	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yammer.com	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/api/v1.0/me/ActivitiesIA:K:	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2955098116.0000022B0F043000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveApp	OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2602646631.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2067166489.0000022AF65A7000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.microsoftstream.com/api/	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cr.office.com	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messagebroker.mobile.m365.svc.cloud.microsoft	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://otelrules.svc.static.microsoft	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954628967.0000022B0EF31000.00000004.00000020.00020000.00000000.sdmp	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechM	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://edge.skype.com/registrar/prod	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.comPI8h	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://officeci.azurewebsites.net/api/	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorize#	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://my.microsoftpersonalcontent.com	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryG	OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://officepyservice.office.net/rd;=pI	OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6596000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.office.cn/addinstemplate	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://syncservice.o365syncservice.com/	OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorize&	OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.officescripts.microsoftusercontent.com/api~	OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	false		high
https://edge.skype.com/rps	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954830460.0000022B0EFC0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizetInfo	OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599929741.0000022AF6569000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064843003.0000022AF6559000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messaging.engagement.office.com/	OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://onedrive.live.com/embed?i	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://substrate.office.com/search/api/v2/init_8	OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954193785.0000022B0EE00000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.odwebp.svc.ms	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.powerbi.com/v1.0/myorg/groups	OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.microsoftstream.com/video/	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.addins.store.officeppe.com/addinstemplate	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA24c	OfficeC2RClient.exe, 0000000C.00000003.2610435457.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2606149077.0000022AF64F2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604390973.0000022AF64CB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607691377.0000022AF64F4000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2126506126.0000022AF64E9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2605089941.0000022AF64DF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeQBRHW	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://graph.windows.net	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600312043.0000022AF6AC0000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FacebookO	OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604358700.0000022AF6494000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://my.microsoftpersonalcontent.com&h	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policiess	OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeize#	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/autodiscover/autodiscover.jsonF	OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/autodiscover/autodiscover.jsonG	OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://consent.config.office.com/consentcheckin/v1.0/consents	OfficeC2RClient.exe, 0000000C.00000003.2101864968.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2106608655.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2105025991.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2603498790.0000022AF648F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124732363.0000022AF6469000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597881208.0000022AF6465000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2597221986.0000022AF643D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2604006184.0000022AF649B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125858893.0000022AF646A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://notification.m365.svc.cloud.microsoft/PushNotifications.Register	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064289646.0000022AF62E3000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052264353.0000022B0EFD0000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d.docs.live.net	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://safelinks.protection.outlook.com/api/GetPolicy	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6A8F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599603439.0000022AF6A89000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ncus.contentsync.	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954517360.0000022B0EEEA000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policiesf	OfficeC2RClient.exe, 0000000C.00000003.2610304330.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bingr	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeaC	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeaA	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://weather.service.msn.com/data.aspx	OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://substrate.office.comP	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954718708.0000022B0EF8C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://messaging.action.office.com/setuseraction16c	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://d.docs.live.netK	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://o365auditrealtimeingestion.manage.office.com/api/userauditrecordN	OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6AD5000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049645692.0000022B0DA24000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://devnull.onenote.comMBI_SSL_SHORT	OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mss.office.com	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2601805194.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2615879140.0000022AF6A70000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pushchannel.1drv.ms	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2616353863.0000022AF6B3E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6B3D000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599528119.0000022AF6B32000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049719470.0000022B0DA46000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pushchannel.1drv.msLiveOAuthLoginStarthttps://login.	OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2051026132.0000022B0F012000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.windows.net/common/oauth2/authorizec	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wus2.contentsync.	OfficeC2RClient.exe, 0000000C.00000003.2067096951.0000022AF660A000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600708878.0000022AF6B1C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064038362.0000022AF65E8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049753664.0000022B0DA4A000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/user/v1.0/ios	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://incblog7vmuq7rktic73r4ha4j757m3ptym37tyvifzp2roedyyzzxid.onion/	1.exe, 00000000.00000002.1993113149.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1977112947.0000000001448000.00000004.00000020.00020000.00000000.sdmp, INC-README.html22.0.dr, INC-README.txt59.0.dr, INC-README.txt110.0.dr, INC-README.txt85.0.dr, INC-README.txt16.0.dr, INC-README.html89.0.dr, INC-README.html2.0.dr, INC-README.txt103.0.dr, INC-README.txt49.0.dr, INC-README.txt71.0.dr, INC-README.txt56.0.dr, INC-README.html30.0.dr, INC-README.txt30.0.dr, INC-README.txt74.0.dr, INC-README.txt46.0.dr, INC-README.txt47.0.dr, INC-README.txt96.0.dr, INC-README.txt84.0.dr, INC-README.txt123.0.dr	false		high
https://api.addins.omex.office.net/api/addins/search	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA44000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2052257524.0000022B0EFBF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.office365.com/api/v1.0/me/Activities	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049676859.0000022B0DA2B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000002.2954786562.0000022B0EF9D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.diagnosticssdf.office.com/v2/feedbackqB2H	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients.config.office.net/user/v1.0/android/policies	OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2102963584.0000022AF45FA000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2613190500.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2607519749.0000022AF4652000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2614580591.0000022AF466E000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049515762.0000022B0DA1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.windows.net/common/oauth2/authorizeS	OfficeC2RClient.exe, 0000000C.00000003.2599263030.0000022AF6ACE000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2064732612.0000022AF6AA9000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599758266.0000022AF6AD8000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598982387.0000022AF6AAB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600645308.0000022AF6B0C000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600214576.0000022AF6ADB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://entitlement.diagnostics.office.com	OfficeC2RClient.exe, 0000000C.00000003.2601590448.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A31000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2125696936.0000022AF6A5E000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101507701.0000022AF6A5F000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2124608026.0000022AF6A5B000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2101646631.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081518472.0000022AF65EB000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2598602224.0000022AF6A52000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063716037.0000022AF65AF000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2063250114.0000022AF6A60000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599123022.0000022AF6A61000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2082077097.0000022AF6A49000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2081777262.0000022AF6A37000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2104649237.0000022AF6A57000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2599193853.0000022AF6A93000.00000004.00000020.00020000.00000000.sdmp, OfficeC2RClient.exe, 0000000C.00000003.2600457243.0000022AF6AA2000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2050246239.0000022B0EF8B000.00000004.00000020.00020000.00000000.sdmp, onenoteim.exe, 0000000E.00000003.2049817409.0000022B0DA3C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575387
Start date and time:	2024-12-15 12:37:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1.exe
Detection:	MAL
Classification:	mal100.rans.expl.evad.winEXE@7/738@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 22 Number of non-executed functions: 37
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, RuntimeBroker.exe, printfilterpipelinesvc.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 13.107.42.16, 52.113.194.132, 4.175.87.197, 20.231.128.67, 23.218.208.109, 13.107.246.63, 52.230.59.222, 4.255.90.245
Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, licensing.mp.microsoft.com, ocsp.digicert.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, l-0007.l-msedge.net, config.edge.skype.com, manage.devcenter.microsoft.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:38:50	API Interceptor	3x Sleep call for process: OfficeC2RClient.exe modified

Process:	C:\Users\user\Desktop\1.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	8504
Entropy (8bit):	4.648029481675414
Encrypted:	false
SSDEEP:	192:+uhiE9c4HaRjkLdWQkyK5TuljeYSM3O41fPFsMDKeCU:1iY4iK5zYPFFsMDKFU
MD5:	E9B887D02B9616003877786FA48A5CC8
SHA1:	4F90A2308C570ABC81E5A6A564B95860B010E3D3
SHA-256:	FFBF4FFCD386A49C22D338403496661D32B2DA8C8B94162A7A0F575530330493
SHA-512:	21C3DFF33DF97FD43A7EB3126F80BA4A18D8CBA44D25DCD0A1C0FA6BDAEEC530A28C0F00AC625C529D6D57898B634B67FD9A44D91FAC470073DE5F814D8D3A0B
Malicious:	true
Reputation:	low
Preview:	<html>...<head>....<title>INC Ransom</title>...</head>...<body style="width: 100%; height: 100%; display: flex; flex-direction: column; justify-content: center; align-items: center; overflow: hidden;">....<div style="display: flex; justify-content: space-between; max-width: 80%; overflow-y: auto;">.....<div style="width: 80%;">.. <div style="display: flex; flex-direction: column;">.. <span style="font-size: 20px; font-weight: 600;">Your data is stolen and encrypted.</span>.. <span style="font-size: 14px; margin-top: 8px;">If you don't pay the ransom, the data will be published on our TOR darknet sites.</span>.. <span style="font-size: 14px;">The sooner you pay the ransom, the sooner your company will be safe.</span>.. </div>.. <div style="display: flex; flex-direction: column; margin-top: 16px;">.. <span style="font-size: 20px; font-weight: 600;">Blog Tor Browser Lin

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: INC Ransomware

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\$WinREAgent\INC-README.html

C:\$WinREAgent\INC-README.txt

C:\$WinREAgent\Scratch\INC-README.html

C:\$WinREAgent\Scratch\INC-README.txt

C:\INC-README.html

C:\INC-README.txt

C:\PerfLogs\INC-README.html

C:\PerfLogs\INC-README.txt

C:\ProgramData\.curlrc

C:\ProgramData\.curlrc.INC (copy)

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.html

C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\INC-README.txt

C:\ProgramData\Adobe\ARM\INC-README.html

C:\ProgramData\Adobe\ARM\INC-README.txt

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\INC-README.html

Windows Analysis Report
1.exe