Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
peYnzEuoAo.exe

Overview

General Information

Sample name:peYnzEuoAo.exe
renamed because original name is a hash value
Original sample name:6a61deb10a548e3867f0bbed199acf4b53c65b4878a17aca67e68d972fc3cb7d.exe
Analysis ID:1637508
MD5:8bac97f83725909af898da39324c94df
SHA1:f13e858511c3ec295ab846879380907f6136ee13
SHA256:6a61deb10a548e3867f0bbed199acf4b53c65b4878a17aca67e68d972fc3cb7d
Tags:exeNATIONALCARECONSORTIUMLTDuser-JAMESWT_MHT
Infos:

Detection

Hancitor
Score:48
Range:0 - 100
Confidence:100%

Compliance

Score:64
Range:0 - 100

Signatures

Yara detected Hancitor
Powershell creates an autostart link
Query firmware table information (likely to detect VMs)
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • peYnzEuoAo.exe (PID: 6512 cmdline: "C:\Users\user\Desktop\peYnzEuoAo.exe" MD5: 8BAC97F83725909AF898DA39324C94DF)
    • 5724.tmp (PID: 6556 cmdline: C:\Users\user\AppData\Local\Temp\5724.tmp MD5: 67ADAACA359411A72285BAE197610751)
      • 5724.tmp (PID: 6616 cmdline: 5724.tmp RELAUNCHED MD5: 67ADAACA359411A72285BAE197610751)
        • OfficeClickToRun.exe (PID: 3060 cmdline: OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATE MD5: 75F42872C0302D36A1E3BB5C7928FC02)
        • OfficeClickToRun.exe (PID: 7988 cmdline: OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True MD5: 33F980B29BC3D0B5B536646573D8A63F)
    • 609B.tmp (PID: 6820 cmdline: C:\Users\user\AppData\Local\Temp\609B.tmp MD5: A2A5472574D8C4898D2BE1B90C293466)
      • powershell.exe (PID: 5912 cmdline: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OpenWith.exe (PID: 7392 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
HancitorHancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: peYnzEuoAo.exe PID: 6512JoeSecurity_HancitorYara detected HancitorJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
    Source: Process startedAuthor: Thomas Patzke: Data: Command: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\609B.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\609B.tmp, ParentProcessId: 6820, ParentProcessName: 609B.tmp, ProcessCommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", ProcessId: 5912, ProcessName: powershell.exe
    Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
    Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5912, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnk
    Sigma detected: Startup Folder File Write
    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5912, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnk
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\609B.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\609B.tmp, ParentProcessId: 6820, ParentProcessName: 609B.tmp, ProcessCommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", ProcessId: 5912, ProcessName: powershell.exe
    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\609B.tmp, ParentImage: C:\Users\user\AppData\Local\Temp\609B.tmp, ParentProcessId: 6820, ParentProcessName: 609B.tmp, ProcessCommandLine: "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() ", ProcessId: 5912, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-13T17:19:42.157133+010020283713Unknown Traffic192.168.2.94980213.107.253.72443TCP
    2025-03-13T17:19:48.034484+010020283713Unknown Traffic192.168.2.94980713.107.253.72443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Location Tracking

    barindex
    Yara detected Hancitor
    Source: Yara matchFile source: Process Memory Space: peYnzEuoAo.exe PID: 6512, type: MEMORYSTR

    Compliance

    barindex
    Creates a directory in C:\Program Files
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\UpdatesJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886Jump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-localization-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-xstate-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-math-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-private-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-process-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-string-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-time-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ApiClient.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVCatalog.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\appvcleaner.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVClient.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVClientIsv.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVFileSystemMetadata.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIntegration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvApi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvStreamingManager.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvSubsystemController.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64_arm64x.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvVirtualization.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVManifest.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVOrchestration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVPolicy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVScripting.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVShNotify.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r32werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r64werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RHeartbeatConfig.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ar-sa.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.bg-bg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.cs-cz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.da-dk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.de-de.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.el-gr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-gb.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-us.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-es.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-mx.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.et-ee.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fi-fi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-ca.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-fr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.he-il.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hi-in.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hr-hr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hu-hu.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.id-id.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.it-it.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ja-jp.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.kk-kz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ko-kr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lt-lt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lv-lv.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ms-my.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nb-no.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nl-nl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pl-pl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-br.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-pt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ro-ro.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ru-ru.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sk-sk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sl-si.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sr-latn-rs.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sv-se.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.th-th.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.tr-tr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.uk-ua.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.vi-vn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-cn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-tw.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RUI.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ClientCapabilities.jsonJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ClientEventLogMessages.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\concrt140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\FrequentOfficeUpdateSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\i640.cab.catJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\i640.hashJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\InspectorOfficeGadget.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\IntegratedOffice.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\inventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\manageability.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\MavInject32.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msix.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msvcp140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RClient.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RCom.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeClickToRun.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officeinventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeOEMPlugin.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officesvcmgr.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officesvcmgrschedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\offreg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\policy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\PushRegistrationTask.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\repoman.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ServiceWatcherSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\SharedPerformance.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\SubsystemController.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ucrtbase.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vccorlib140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140_1.dllJump to behavior
    PE / OLE file has a valid certificate
    Source: peYnzEuoAo.exeStatic PE information: certificate valid
    Uses secure TLS version for HTTPS connections
    Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.9:49802 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.9:49802 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.9:49807 version: TLS 1.2
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: peYnzEuoAo.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: stub_joiner.pdb source: peYnzEuoAo.exe, 00000000.00000000.926378911.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp, peYnzEuoAo.exe, 00000000.00000002.966151371.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: stub_joiner.pdbQ source: peYnzEuoAo.exe, 00000000.00000000.926378911.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp, peYnzEuoAo.exe, 00000000.00000002.966151371.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: rekk.pdb source: peYnzEuoAo.exe, 00000000.00000003.965307371.000001EA4C861000.00000004.00000020.00020000.00000000.sdmp, peYnzEuoAo.exe, 00000000.00000003.930989192.000001EA4C452000.00000004.00000020.00020000.00000000.sdmp, 609B.tmp, 00000003.00000000.965006856.00007FF616F34000.00000002.00000001.01000000.00000006.sdmp
    Source: global trafficTCP traffic: 192.168.2.9:49686 -> 141.98.10.54:5677
    Source: Joe Sandbox ViewIP Address: 13.107.253.72 13.107.253.72
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49807 -> 13.107.253.72:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49802 -> 13.107.253.72:443
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /rules/officeclicktorun.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.18526; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficHTTP traffic detected: GET /rules/officec2rclient.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.18526; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://127.0.0.1:13556/HttpLogWriterEndpointDataSessionInsiderSlabBehaviorReportedStateInsiderSlabBe
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/prAFcej~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1063035093.0000000004C7D000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1062873989.0000000001113000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631953643.00000225FF45C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633373291.00000225FF463000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633176812.00000225FFABA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1341952934.00000225FFB23000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1634088234.00000225FFABD000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
    Source: 5724.tmp, 00000002.00000003.1063920887.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064209693.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064314634.0000000004C94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://weather.service.msn.com/data.aspxs/3.28
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlwbno
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledp
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalledy
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1533842969.00000225FF473000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629384652.00000225FF473000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1634434616.00000225FFA6C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/removey_Lea
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031C7000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006725286.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1375086695.00000225FF999000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiatee
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analysis.windows.net/powerbi/apiy
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech7C
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech?J
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechZE
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechbG
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.com1H
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comS
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.aadrm.comZ
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ai
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ai;
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.cortana.ain
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.com
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comFce
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comFcep
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comges
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comvice
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnostics.office.comvice:
    Source: 5724.tmp, 00000002.00000003.1007061813.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010736397.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1011014211.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1007158412.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009953613.0000000003363000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback0/
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedbackhme
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.com/v2/fileN?
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.comE~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.diagnosticssdf.office.come
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.microsoftstream.com/api/ce
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005828645.0000000003377000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netH
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.netZ
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.neto
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.office.net~hU
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.officescripts.microsoftusercontent.com/apie
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/drive/root/root
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/shares/ares/v8
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.onedrive.com/v1.0/v1.0
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets=3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groupsev=3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsv=3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.powerbi.com/v1.0/myorg/importsv=3u
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1634434616.00000225FFA6C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.scheduler.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/06T
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.live.net/v5.0/10
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com/v4/api/selectionce
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com/v2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com221
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://augloop.office.com2233
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303870562.00000225FEB9C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631570610.00000225FEB9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-module07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontsH#
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fontswin32/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-stringssD
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-stringssks
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screenv/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.designerapp.osi.office.netq~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005689141.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.entity.osi.office.net/OfficeEntity/web/views/juno.desktop.cshtmltml
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/1.7:
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.hubblecontent.osi.office.net/rapp
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abice
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-office365-tas.msedge.net/abion
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/=
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/F
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/S
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/e
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/macV
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/vicep
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.netPIce
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.netiy
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://config.office.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contacts.msn.com/ABService/ABService.asmx.asmx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.ai/api
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cortana.aifigSx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cr.office.com.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cr.office.como
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netAPIHost
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.docs.live.netd
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005689141.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005828645.0000000003377000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.com/G
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.o365filtering.come
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesP
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://designerapp.azurewebsites.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://designerapp.azurewebsites.nete(~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://designerapp.officeapps.live.com/designerappE9-EE5A0A68C207
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.ai
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.cortana.aiK
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/SharingService.svcvice.svcy
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.live.net/SkyDocsService.svcvice.svc
    Source: peYnzEuoAo.exe, 00000000.00000003.965307371.000001EA4C861000.00000004.00000020.00020000.00000000.sdmp, peYnzEuoAo.exe, 00000000.00000003.930989192.000001EA4C452000.00000004.00000020.00020000.00000000.sdmp, 609B.tmp, 00000003.00000000.965006856.00007FF616F34000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/Designerev=3)
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v1/Designerev=3E
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631817226.00000225FEB6E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006154397.000000000327D000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031BF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006725286.00000000031BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18526.20144/Production/CC?&EcsCanary=1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Officej2
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://ecs.office.com/config/v2/Officeonenote.exeoutlook.exedateexcel.exeOfficeFirstRunSDXVersionPr
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edge.skype.com/registrar/prod
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://edge.skype.com/registrar/prode
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/F
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/FceM3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1e5
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1l=
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1#=
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v196
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1ed
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1X8O
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/vice
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://enrichment.osi.office.net/vicey3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entitlement.diagnosticssdf.office.com/
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://entity.osi.office.net/t
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2D
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechAE
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechE
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechwG
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excelcs.officeapps.live.com/xlauto/excelautomation.svc/XlAutomation/D
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excelsgs.officeapps.live.com/xlfrontdoor/FrontDoor.ashx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPage.aspxi9
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPageV2.aspx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/Pages/DesignPageV2.aspx?lang=
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://forms.office.com/formapi/api/e
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://globaldisco.crm.dynamics.comce
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.ppe.windows.net/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/146
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/210L
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/ce2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://graph.windows.net/me?api-version=1.6ck
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.com2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.comppHelpm
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubble.officeapps.live.coms/recent
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.n
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/cog
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/Y#
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetryr
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetrys
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d6
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d7
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?F
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/videohostpage/videodeo
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://identity.osi.office.net/v1/tokenken
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imagetodoc.officeapps.live.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.com%?
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.com2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comfileW
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnostics.office.comomthz?
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incidents.diagnosticssdf.office.comd?
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr-
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://insertmedia.osi.office.net/insertmediadia
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://invites.office.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechech
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeechios
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/err.srfr.srfce
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/logout.srft.srf
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&response_type=token&redirect
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfp.srf
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_token.srfn.srf
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comHost
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005689141.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005991921.0000000003349000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629384652.00000225FF4BC000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633712624.00000225FF4BC000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.comPI
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1657310992.00000225FFAA1000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorizeZ
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.localacelS
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeED
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005689141.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005828645.0000000003377000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005655771.000000000337C000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631953643.00000225FF45C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1657310992.00000225FFAA1000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633373291.00000225FF463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize$
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize%
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize(
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize)
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.0/i
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.ashx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize.asmx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize24.tmpA
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize6
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize8C207
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize;
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeC
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeI
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeL
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeN
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeO
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeS
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeX
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeY
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize_
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizecom
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeembed
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeembedR
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizees
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizefigo
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeh
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizei
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeider
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizej
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizek
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizel
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelog
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizelogB
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeo
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeog
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizer
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizeredir
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631953643.00000225FF45C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633373291.00000225FF463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizes&
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizesmx:
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetInfo
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizetion
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizex
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizexr
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizey
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorizez
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/common/oauth2/authorize~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1634434616.00000225FFA6C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://make.powerautomate.com
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://make.powerautomate.comdQ
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005689141.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005655771.000000000337C000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005991921.0000000003349000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629384652.00000225FF4BC000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633712624.00000225FF4BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com/;
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://management.azure.com1
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://mrodevicemgr.edog.officeapps.live.com/mrodevicemgrsvc/apiDmsClient::MakeDmsWebRequest:
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008901463.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009268566.0000000004C8F000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009822298.0000000004BF6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008428955.0000000004C87000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009776107.0000000004C12000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009638762.0000000004BD8000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010736397.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031C7000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1011014211.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006725286.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1062731746.0000000004CB6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1062873989.0000000001113000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009953613.0000000003363000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
    Source: 5724.tmp, 00000002.00000003.1064349357.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1063920887.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009180758.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009538366.0000000004C45000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008901463.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009538366.0000000004C3A000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064283251.0000000004C35000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008476555.0000000004C45000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010736397.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064209693.0000000004D3D000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064314634.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010715337.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009011221.0000000004C45000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008428955.0000000004C94000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008853768.0000000004D40000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009953613.0000000003363000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009011221.0000000004C39000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008476555.0000000004C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData/492350f6-3a01-4f97-b9
    Source: 5724.tmp, 00000002.00000003.1064349357.0000000004C44000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009538366.0000000004C45000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064283251.0000000004C35000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1008476555.0000000004C45000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009011221.0000000004C45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData/=
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.microsoftpersonalcontent.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechIG
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechoE
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ncus.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nexus.officeapps.live.com
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://nexus.officeapps.live.com/nexus/upload//nexus/ruleshttps://nexusrules.officeapps.live.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nexusrules.officeapps.live.comC
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/Check/V1/V1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/Config/V2/V2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/Instrumentation/V1/V1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nleditor.osi.office.net/NlEditor/LanguageInfo/V1/V1_=
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Registers
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocos-office365-s2s.msedge.net/abauthzJ
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/docs/sharedwithme
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/locations/recent1
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/quickaccess/sitesandteams
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocws.officeapps.live.com/ocs/v2/recent6
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/manageserviceredir.aspxsE
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/servicemanager/reportserviceerror
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.pngll
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/idp
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpselllickr
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com0
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com03858
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com27858G
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com398
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com5
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com560A68C
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com58E
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com6
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com658587
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com67858E
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031C7000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006725286.00000000031C4000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com6_
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com70858E
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com72858
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com73858B
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com75858
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com76858
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com79858
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com95858
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.com99858A
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come858
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come858C
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.come858M
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comeB
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comeH
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeapps.live.comeName
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officeci.azurewebsites.net/api/7~
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-askse
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officepyservice.office.net/service.functionality55
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://officesetup.getmicrosoftkey.comE2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://oloobe.officeapps.live.com/itiesN
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/pin/
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/redemption/flighting/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ols.officeapps.live.com/olsc/olsconfig.svc/redemption/locales
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629809411.00000225FEA94000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com.177
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.comice
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://osi.office.netst
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://otelrules.svc.static.microsoft
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://otelrules.svc.static.microsofthttps://otelrules.azureedge.net/rules/excel.exe
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303870562.00000225FEB9C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631570610.00000225FEB9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com/
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office.com255
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://outlook.office.comhttps://d.docs.live.nethttps://microsoft.sharepoint-df.comhttps://microsof
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303870562.00000225FEB9C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631570610.00000225FEB9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/858
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/858?
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1634434616.00000225FFA6C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.jsonts3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectors
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/connectorst/etq?
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/ews/exchange.asmx
    Source: 5724.tmp, 00000002.00000003.1009794353.00000000033CF000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010325568.00000000033D2000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006598613.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1064374320.00000000033BA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005717141.00000000033DB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.office365.com/u
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/4
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://planner.cloud.microsoft
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerlift.acompli.net
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptcs.officeapps.live.com/pptauto/PowerpointAutomation.svc/PptAutomationB
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptcs.officeapps.live.com/pptauto/PowerpointAutomation.svc/restI
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptservicescast.officeapps.live.com/SpeechHandler.ashx11
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptservicescast.officeapps.live.com/TextTranslationHandler.ashx
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/OutlineToPPT/GetThemeSuggestions
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/OutlineToPPT/Trace
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/PowerpointSuggestion.svc/PptSuggestion
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptsgs.officeapps.live.com/pptsgs/resources/9-EE5A0A68C207
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pptss.officeapps.live.com/pptss/powerpointsample.svc/PptSample
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect$
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory-3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectorymj
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelp
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010032210.000000000327D000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006154397.000000000327D000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006867639.000000000327D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod.support.office.com/InAppHelpev=3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/cid-%s/d-%s/D
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://profile.live.com/home/home6
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonT(
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://realtimesync.onenote.com/realtimechannel/v1.0/signalr/hubv1.0/signalr/hubies
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/office-growth/resources/staticcN=
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/office-growth/resourcess
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/models.6
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.cdn.office.net/polymer/modelsX86_
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptioneventsm
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roaming.officeapps.live.com/rs/v1/settings7E9-EE5A0A68C207
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://settings.outlook.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shell.suite.office.com:1443ce_2
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shell.suite.office.com:1443ice
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://shredder.osi.office.net/ShredderService/web/desktop/views/main.cshtmltml
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.ai
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.ai173
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://staging.cortana.airl
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/client/consent.aspx3
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.office.com/client/consentsideloading.aspx
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stores.office.com/myaccount/api/account.svc/officehubub07
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stores.office.com/myaccount/api/account.svc/subscriptionon
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stores.office.com/myaccount/api/account.svc/subscriptionon?
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/CompliancePolicy/ClientSyncFile/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/M365.Accessssxxz9
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0/ingestion
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficeIntelligence/v1.0/insights
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/OfficePersonalizationUserLifecycle/api/facts
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/api/beta/me/Signals
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/api/v2.0/me/Signals
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/imageB2/v1.0/me/image/resize%28width%3D384%2Cheight%3D384%2CallowResize
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/orcarviceW
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/ows/v2/ActivityFeed/UpdateActivityFeedStatet/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/profileb2/v2.0/me/V1Profilele
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/puds
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/recommended/api/v1.0/edgeworth
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/eventsaspx.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/i/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendations
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocuments
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/recommendedDocuments2#
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/searchhistory
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/suggestionsB
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v1/userconfigR
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/init
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/initl
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/query
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/search/api/v2/query:
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com/sharingsuggestion
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com4
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com4V
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com8
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1633980184.00000225FFA28000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632679341.00000225FFA1B000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.com9
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comE
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comm
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.como
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://substrate.office.comq
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/client/results?fullframe=yes
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://teams.cloud.microsoft/ups/global/l
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.net/tellmeservice/api/suggestionsonsF.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.net/tellmeservice/api/suggestionsonsb)
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tellmeservice.osi.office.netst
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-excel?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremi
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-powerpoint?ocid=oo_toc_client_app_MARVEL_UPS_templates_go
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templates.office.com/templates-for-word?ocid=oo_toc_client_app_MARVEL_UPS_templates_gopremiu
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templatesmetadata.office.net/
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://templatesmetadata.office.net/e
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1384216775.00000225FF99A000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632304448.00000225FFA31000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1629517773.00000225FF97E000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1634434616.00000225FFA6C000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1534027837.00000225FF998000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://voice.officeapps.live.com/coachrealtime.aspx9-EE5A0A68C207
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/N
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.microsoftstream.com/video/y
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.com9x
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comAFce
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comL
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comPIceax
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://webshell.suite.office.comvice
    Source: 5724.tmp, 00000002.00000003.1007061813.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006499139.0000000003342000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1007158412.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006557529.0000000003383000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashxORedir1.0
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashxcu
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005740323.0000000003218000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashxyBias
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios7
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005504395.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.00000000033DA000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005357426.000000000334B000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003392000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303825303.00000225FF971000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wus2.pagecontentsync.onenote.com/pagecontentsync/attachment/v1nc/attachment/v1
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2.com
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2crev
    Source: 5724.tmp, 00000002.00000003.1005504395.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005211319.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006332892.00000000033EB000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006421315.00000000033FE000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010772104.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1010896218.0000000003406000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009843760.00000000033F9000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005882173.0000000003408000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1009696815.00000000033E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.onenote.com/userinfo/v1/settings/IsFeatureEnabled/PremiumFeatureses
    Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
    Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.9:49802 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.9:49802 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.9:49807 version: TLS 1.2
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevicesmemstr_176ce7c2-6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF9C13A337E7_2_00007FF9C13A337E
    Source: C2RINTL.ko-kr.dll.9.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: C2RINTL.ko-kr.dll.9.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: Number of sections : 13 > 10
    Source: 609B.tmp.0.drStatic PE information: Number of sections : 11 > 10
    Source: AppvIsvSubsystems64.dll.9.drStatic PE information: Number of sections : 11 > 10
    Source: C2RINTL.pt-pt.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.kk-kz.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.cs-cz.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-heap-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.hi-in.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ru-ru.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-utility-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ro-ro.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.en-gb.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-time-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.nl-nl.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.hu-hu.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.fr-fr.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.lv-lv.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-string-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ja-jp.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.da-dk.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-locale-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.tr-tr.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.en-us.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ms-my.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ko-kr.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.nb-no.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.et-ee.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.bg-bg.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.pl-pl.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sk-sk.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-math-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.zh-tw.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.lt-lt.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.th-th.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.fr-ca.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-multibyte-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.ar-sa.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.zh-cn.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sv-se.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.es-mx.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.id-id.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.uk-ua.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sl-si.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-runtime-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.fi-fi.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.vi-vn.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-process-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-private-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-xstate-l2-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-stdio-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.pt-br.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.sr-latn-rs.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.el-gr.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.he-il.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.es-es.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.hr-hr.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.it-it.dll.9.drStatic PE information: No import functions for PE file found
    Source: C2RINTL.de-de.dll.9.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.9.drStatic PE information: No import functions for PE file found
    Source: peYnzEuoAo.exe, 00000000.00000000.926416884.00007FF6E7D25000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs peYnzEuoAo.exe
    Source: peYnzEuoAo.exe, 00000000.00000003.965307371.000001EA4CD90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs peYnzEuoAo.exe
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D73B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBootstrapper.exeB vs peYnzEuoAo.exe
    Source: classification engineClassification label: mal48.troj.evad.winEXE@15/533@2/2
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\UpdatesJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A5A9C27C-F63D-4256-9ED5-861A289587F1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpMutant created: \Sessions\1\BaseNamedObjects\Local\2BF388D5-6F8C-40A0-A7EE-996D005C4E14_Office16
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpMutant created: \Sessions\1\BaseNamedObjects\Local\OfficeSetupBootstrapper
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpMutant created: \Sessions\1\BaseNamedObjects\Office.16.916BB0BF-2D21-4499-83C7-555DB4C3F8E8
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpMutant created: \Sessions\1\BaseNamedObjects\AsMus
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeFile created: C:\Users\user\AppData\Local\Temp\5724.tmpJump to behavior
    Source: peYnzEuoAo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
    Source: unknownProcess created: C:\Users\user\Desktop\peYnzEuoAo.exe "C:\Users\user\Desktop\peYnzEuoAo.exe"
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeProcess created: C:\Users\user\AppData\Local\Temp\5724.tmp C:\Users\user\AppData\Local\Temp\5724.tmp
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Users\user\AppData\Local\Temp\5724.tmp 5724.tmp RELAUNCHED
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeProcess created: C:\Users\user\AppData\Local\Temp\609B.tmp C:\Users\user\AppData\Local\Temp\609B.tmp
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() "
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATE
    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeProcess created: C:\Users\user\AppData\Local\Temp\5724.tmp C:\Users\user\AppData\Local\Temp\5724.tmpJump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeProcess created: C:\Users\user\AppData\Local\Temp\609B.tmp C:\Users\user\AppData\Local\Temp\609B.tmpJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Users\user\AppData\Local\Temp\5724.tmp 5724.tmp RELAUNCHEDJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() "Jump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: msi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: version.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: windows.ui.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: inputhost.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: netprofm.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: npmproxy.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: webio.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: webservices.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: windows.networking.connectivity.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: windows.security.authentication.onlineid.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: bitsproxy.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: cabinet.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: devrtl.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: msxml6.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: netapi32.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: pdh.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: samcli.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
    Source: AsMus.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\Public\Music\script\609B.tmp
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\UpdatesJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886Jump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-localization-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-xstate-l2-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-math-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-private-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-process-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-string-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-time-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ApiClient.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVCatalog.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\appvcleaner.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVClient.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVClientIsv.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVFileSystemMetadata.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIntegration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvApi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvStreamingManager.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvSubsystemController.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64_arm64x.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvVirtualization.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVManifest.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVOrchestration.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVPolicy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVScripting.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVShNotify.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R32.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r32werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R64.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r64werhandler.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RHeartbeatConfig.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ar-sa.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.bg-bg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.cs-cz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.da-dk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.de-de.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.el-gr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-gb.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-us.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-es.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-mx.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.et-ee.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fi-fi.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-ca.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-fr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.he-il.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hi-in.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hr-hr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hu-hu.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.id-id.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.it-it.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ja-jp.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.kk-kz.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ko-kr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lt-lt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lv-lv.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ms-my.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nb-no.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nl-nl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pl-pl.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-br.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-pt.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ro-ro.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ru-ru.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sk-sk.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sl-si.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sr-latn-rs.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sv-se.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.th-th.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.tr-tr.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.uk-ua.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.vi-vn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-cn.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-tw.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RUI.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ClientCapabilities.jsonJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ClientEventLogMessages.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\concrt140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\FrequentOfficeUpdateSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\i640.cab.catJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\i640.hashJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\InspectorOfficeGadget.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\IntegratedOffice.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\inventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\manageability.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\MavInject32.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msix.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msvcp140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RClient.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RCom.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeClickToRun.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officeinventory.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeOEMPlugin.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officesvcmgr.exeJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officesvcmgrschedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\offreg.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\policy.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\PushRegistrationTask.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\repoman.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ServiceWatcherSchedule.xmlJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\SharedPerformance.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\SubsystemController.manJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ucrtbase.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vccorlib140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140.dllJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDirectory created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140_1.dllJump to behavior
    Source: peYnzEuoAo.exeStatic PE information: certificate valid
    Source: peYnzEuoAo.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: peYnzEuoAo.exeStatic file information: File size 6411864 > 1048576
    Source: peYnzEuoAo.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x5b6600
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: peYnzEuoAo.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: peYnzEuoAo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: d:\dbs\el\omr\target\x86\ship\click2run\en-us\SetupBootstrapper.pdb source: peYnzEuoAo.exe, 00000000.00000003.938739497.000001EA4D070000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000001.00000000.938266759.000000000092C000.00000002.00000001.01000000.00000005.sdmp, 5724.tmp, 00000002.00000000.940932517.000000000092C000.00000002.00000001.01000000.00000005.sdmp
    Source: Binary string: stub_joiner.pdb source: peYnzEuoAo.exe, 00000000.00000000.926378911.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp, peYnzEuoAo.exe, 00000000.00000002.966151371.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: stub_joiner.pdbQ source: peYnzEuoAo.exe, 00000000.00000000.926378911.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp, peYnzEuoAo.exe, 00000000.00000002.966151371.00007FF6E7759000.00000002.00000001.01000000.00000003.sdmp
    Source: Binary string: rekk.pdb source: peYnzEuoAo.exe, 00000000.00000003.965307371.000001EA4C861000.00000004.00000020.00020000.00000000.sdmp, peYnzEuoAo.exe, 00000000.00000003.930989192.000001EA4C452000.00000004.00000020.00020000.00000000.sdmp, 609B.tmp, 00000003.00000000.965006856.00007FF616F34000.00000002.00000001.01000000.00000006.sdmp
    Source: peYnzEuoAo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: peYnzEuoAo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: peYnzEuoAo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: peYnzEuoAo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: peYnzEuoAo.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
    Source: InspectorOfficeGadget.exe.9.drStatic PE information: 0xABDA5564 [Fri May 13 12:24:04 2061 UTC]
    Source: initial sampleStatic PE information: section where entry point is pointing to: .hexpthk
    Source: C2RINTL.pt-pt.dll.9.drStatic PE information: real checksum: 0x18a93 should be: 0x1d56b
    Source: C2RINTL.kk-kz.dll.9.drStatic PE information: real checksum: 0x14aab should be: 0x1db24
    Source: AppVCatalog.dll.9.drStatic PE information: real checksum: 0x902ab should be: 0x900b0
    Source: appvcleaner.exe.9.drStatic PE information: real checksum: 0x187a7e should be: 0x187981
    Source: C2RINTL.cs-cz.dll.9.drStatic PE information: real checksum: 0x1de36 should be: 0x18bb4
    Source: C2RINTL.hi-in.dll.9.drStatic PE information: real checksum: 0x16fd2 should be: 0x10b97
    Source: C2RINTL.ru-ru.dll.9.drStatic PE information: real checksum: 0xe13c should be: 0x16472
    Source: MavInject32.exe.9.drStatic PE information: real checksum: 0x34c87 should be: 0x31faf
    Source: AppVScripting.dll.9.drStatic PE information: real checksum: 0x64622 should be: 0x69172
    Source: C2RINTL.ro-ro.dll.9.drStatic PE information: real checksum: 0x1dedb should be: 0x1417d
    Source: C2RINTL.en-gb.dll.9.drStatic PE information: real checksum: 0x1a08a should be: 0x1a241
    Source: AppVShNotify.exe.9.drStatic PE information: real checksum: 0x36af7 should be: 0x4307d
    Source: C2RINTL.nl-nl.dll.9.drStatic PE information: real checksum: 0x11e00 should be: 0x17ea1
    Source: C2RINTL.hu-hu.dll.9.drStatic PE information: real checksum: 0xfb55 should be: 0x1bd40
    Source: C2RINTL.fr-fr.dll.9.drStatic PE information: real checksum: 0x12423 should be: 0x14219
    Source: C2RINTL.lv-lv.dll.9.drStatic PE information: real checksum: 0x1060d should be: 0x12f33
    Source: IntegratedOffice.exe.9.drStatic PE information: real checksum: 0x527547 should be: 0x523eb3
    Source: 5724.tmp.0.drStatic PE information: real checksum: 0x73acd4 should be: 0x73f917
    Source: AppVIntegration.dll.9.drStatic PE information: real checksum: 0x1974c6 should be: 0x190a3e
    Source: C2RINTL.ja-jp.dll.9.drStatic PE information: real checksum: 0x16663 should be: 0x1133f
    Source: C2RUI.dll.9.drStatic PE information: real checksum: 0x2f61cc should be: 0x2ec53e
    Source: C2RINTL.da-dk.dll.9.drStatic PE information: real checksum: 0x15ae8 should be: 0x13225
    Source: ApiClient.dll.9.drStatic PE information: real checksum: 0x89d72 should be: 0x85267
    Source: inventory.dll.9.drStatic PE information: real checksum: 0x6d308c should be: 0x6d04c3
    Source: C2RINTL.tr-tr.dll.9.drStatic PE information: real checksum: 0x13070 should be: 0x1cb0e
    Source: C2RINTL.en-us.dll.9.drStatic PE information: real checksum: 0x129b9 should be: 0xcd25
    Source: C2RINTL.ms-my.dll.9.drStatic PE information: real checksum: 0x17809 should be: 0x19812
    Source: C2RINTL.ko-kr.dll.9.drStatic PE information: real checksum: 0x1c6d9 should be: 0x16d0d
    Source: officesvcmgr.exe.9.drStatic PE information: real checksum: 0x44cef5 should be: 0x4523eb
    Source: C2RINTL.nb-no.dll.9.drStatic PE information: real checksum: 0x1bd67 should be: 0x1b610
    Source: C2RINTL.et-ee.dll.9.drStatic PE information: real checksum: 0x10db1 should be: 0x152d4
    Source: AppVIsvApi.dll.9.drStatic PE information: real checksum: 0x64377 should be: 0x69ce1
    Source: C2RINTL.bg-bg.dll.9.drStatic PE information: real checksum: 0x12398 should be: 0xfc1c
    Source: C2RINTL.pl-pl.dll.9.drStatic PE information: real checksum: 0x1733d should be: 0x112ae
    Source: C2RINTL.sk-sk.dll.9.drStatic PE information: real checksum: 0x1df45 should be: 0x140d0
    Source: manageability.dll.9.drStatic PE information: real checksum: 0x193f46 should be: 0x186cce
    Source: C2RINTL.zh-tw.dll.9.drStatic PE information: real checksum: 0x18567 should be: 0x1078e
    Source: AppVManifest.dll.9.drStatic PE information: real checksum: 0xe9928 should be: 0xf48c7
    Source: c2r64werhandler.dll.9.drStatic PE information: real checksum: 0x2cf8c should be: 0x327e2
    Source: C2RINTL.lt-lt.dll.9.drStatic PE information: real checksum: 0xf38f should be: 0xea98
    Source: AppVPolicy.dll.9.drStatic PE information: real checksum: 0x10ab85 should be: 0x1038e0
    Source: C2RINTL.th-th.dll.9.drStatic PE information: real checksum: 0x16003 should be: 0x1134a
    Source: C2RINTL.fr-ca.dll.9.drStatic PE information: real checksum: 0x1a08c should be: 0x141ce
    Source: C2R64.dll.9.drStatic PE information: real checksum: 0x2879bf should be: 0x28a7f1
    Source: C2RINTL.ar-sa.dll.9.drStatic PE information: real checksum: 0x13b6a should be: 0x19121
    Source: policy.dll.9.drStatic PE information: real checksum: 0x17d7a3 should be: 0x17a611
    Source: C2RINTL.zh-cn.dll.9.drStatic PE information: real checksum: 0xcea1 should be: 0x1a4b9
    Source: C2RINTL.sv-se.dll.9.drStatic PE information: real checksum: 0x12b2e should be: 0x19a2a
    Source: C2RINTL.es-mx.dll.9.drStatic PE information: real checksum: 0x17eb7 should be: 0x143a8
    Source: OfficeC2RCom.dll.9.drStatic PE information: real checksum: 0x266ca7 should be: 0x26af37
    Source: C2RINTL.id-id.dll.9.drStatic PE information: real checksum: 0x150f1 should be: 0x1a39a
    Source: C2RINTL.uk-ua.dll.9.drStatic PE information: real checksum: 0x12eac should be: 0x1c274
    Source: C2RINTL.sl-si.dll.9.drStatic PE information: real checksum: 0x13b1d should be: 0x1031f
    Source: C2RINTL.fi-fi.dll.9.drStatic PE information: real checksum: 0xfa2f should be: 0x10dae
    Source: C2RINTL.vi-vn.dll.9.drStatic PE information: real checksum: 0x13391 should be: 0x11a17
    Source: OfficeOEMPlugin.dll.9.drStatic PE information: real checksum: 0x26ed7 should be: 0x29a59
    Source: c2r32werhandler.dll.9.drStatic PE information: real checksum: 0x28609 should be: 0x1de5f
    Source: C2RINTL.pt-br.dll.9.drStatic PE information: real checksum: 0x138b4 should be: 0x13f50
    Source: C2RINTL.sr-latn-rs.dll.9.drStatic PE information: real checksum: 0x1cc05 should be: 0x15d77
    Source: C2RINTL.el-gr.dll.9.drStatic PE information: real checksum: 0x1bad8 should be: 0x1b8f4
    Source: C2R32.dll.9.drStatic PE information: real checksum: 0x207482 should be: 0x20a2b3
    Source: AppVOrchestration.dll.9.drStatic PE information: real checksum: 0xc1574 should be: 0xbf523
    Source: C2RINTL.he-il.dll.9.drStatic PE information: real checksum: 0xf3bc should be: 0x10076
    Source: AppVIsvSubsystemController.dll.9.drStatic PE information: real checksum: 0xf4a9c should be: 0xfbacc
    Source: AppVFileSystemMetadata.dll.9.drStatic PE information: real checksum: 0x48f65 should be: 0x45cf8
    Source: C2RINTL.es-es.dll.9.drStatic PE information: real checksum: 0x123de should be: 0xfe13
    Source: C2RINTL.hr-hr.dll.9.drStatic PE information: real checksum: 0x106ad should be: 0x168e5
    Source: AppVIsvStreamingManager.dll.9.drStatic PE information: real checksum: 0x2e958 should be: 0x327bb
    Source: C2RINTL.it-it.dll.9.drStatic PE information: real checksum: 0xecc8 should be: 0x19379
    Source: C2RINTL.de-de.dll.9.drStatic PE information: real checksum: 0x1c32e should be: 0x19d0f
    Source: AppVIsvVirtualization.dll.9.drStatic PE information: real checksum: 0x81827 should be: 0x76f52
    Source: 5724.tmp.0.drStatic PE information: section name: .fptable
    Source: 609B.tmp.0.drStatic PE information: section name: .xdata
    Source: C2RUI.dll.9.drStatic PE information: section name: .didat
    Source: IntegratedOffice.exe.9.drStatic PE information: section name: .didat
    Source: IntegratedOffice.exe.9.drStatic PE information: section name: .fptable
    Source: inventory.dll.9.drStatic PE information: section name: .didat
    Source: inventory.dll.9.drStatic PE information: section name: .detourc
    Source: manageability.dll.9.drStatic PE information: section name: .didat
    Source: MavInject32.exe.9.drStatic PE information: section name: .detourc
    Source: msix.dll.9.drStatic PE information: section name: .didat
    Source: msix.dll.9.drStatic PE information: section name: .fptable
    Source: OfficeC2RClient.exe.9.drStatic PE information: section name: .didat
    Source: OfficeC2RClient.exe.9.drStatic PE information: section name: .detourc
    Source: OfficeC2RCom.dll.9.drStatic PE information: section name: .didat
    Source: OfficeC2RCom.dll.9.drStatic PE information: section name: .fptable
    Source: OfficeClickToRun.exe.9.drStatic PE information: section name: .didat
    Source: officeinventory.dll.9.drStatic PE information: section name: _RDATA
    Source: OfficeOEMPlugin.dll.9.drStatic PE information: section name: .didat
    Source: officesvcmgr.exe.9.drStatic PE information: section name: .didat
    Source: policy.dll.9.drStatic PE information: section name: .didat
    Source: repoman.dll.9.drStatic PE information: section name: .didat
    Source: repoman.dll.9.drStatic PE information: section name: .fptable
    Source: vcruntime140.dll.9.drStatic PE information: section name: fothk
    Source: vcruntime140.dll.9.drStatic PE information: section name: _RDATA
    Source: ApiClient.dll.9.drStatic PE information: section name: .fptable
    Source: AppVCatalog.dll.9.drStatic PE information: section name: .didat
    Source: appvcleaner.exe.9.drStatic PE information: section name: .didat
    Source: AppVIntegration.dll.9.drStatic PE information: section name: .didat
    Source: AppVIsvApi.dll.9.drStatic PE information: section name: .didat
    Source: AppVIsvStreamingManager.dll.9.drStatic PE information: section name: .didat
    Source: AppVIsvSubsystemController.dll.9.drStatic PE information: section name: .didat
    Source: AppVIsvSubsystemController.dll.9.drStatic PE information: section name: .detourc
    Source: AppVIsvSubsystemController.dll.9.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems32.dll.9.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems32.dll.9.drStatic PE information: section name: .detourd
    Source: AppvIsvSubsystems32.dll.9.drStatic PE information: section name: .detourc
    Source: AppvIsvSubsystems32.dll.9.drStatic PE information: section name: .c2r
    Source: AppvIsvSubsystems64.dll.9.drStatic PE information: section name: .didat
    Source: AppvIsvSubsystems64.dll.9.drStatic PE information: section name: .detourc
    Source: AppvIsvSubsystems64.dll.9.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems64.dll.9.drStatic PE information: section name: .detourd
    Source: AppvIsvSubsystems64.dll.9.drStatic PE information: section name: .c2r
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .hexpthk
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .didat
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .detourc
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .mrdata
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .detourd
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .a64xrm
    Source: AppvIsvSubsystems64_arm64x.dll.9.drStatic PE information: section name: .c2r
    Source: AppVIsvVirtualization.dll.9.drStatic PE information: section name: .didat
    Source: AppVOrchestration.dll.9.drStatic PE information: section name: .didat
    Source: AppVScripting.dll.9.drStatic PE information: section name: .didat
    Source: AppVShNotify.exe.9.drStatic PE information: section name: .didat
    Source: C2R32.dll.9.drStatic PE information: section name: .fptable
    Source: C2R32.dll.9.drStatic PE information: section name: .detourc
    Source: c2r32werhandler.dll.9.drStatic PE information: section name: .fptable
    Source: C2R64.dll.9.drStatic PE information: section name: .didat
    Source: C2R64.dll.9.drStatic PE information: section name: .fptable
    Source: C2R64.dll.9.drStatic PE information: section name: .detourc
    Source: c2r64werhandler.dll.9.drStatic PE information: section name: .didat
    Source: c2r64werhandler.dll.9.drStatic PE information: section name: .fptable
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.it-it.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\concrt140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeClickToRun.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pl-pl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ja-jp.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\MavInject32.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.pt-pt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVScripting.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeFile created: C:\Users\user\AppData\Local\Temp\609B.tmpJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\IntegratedOffice.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r32werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.vi-vn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.da-dk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.nb-no.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\c2r64werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-process-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVShNotify.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-xstate-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sk-sk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fi-fi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.cs-cz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.da-dk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.it-it.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\msvcp140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVCatalog.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.el-gr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVCatalog.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvStreamingManager.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lv-lv.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-conio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppvIsvSubsystems64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.en-gb.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.he-il.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\repoman.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\inventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\appvcleaner.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.et-ee.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-fr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\appvcleaner.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ro-ro.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvApi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\inventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msix.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-br.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.uk-ua.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvVirtualization.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\concrt140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\ucrtbase.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sk-sk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-pt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msvcp140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-private-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.el-gr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-us.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sr-latn-rs.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ro-ro.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sl-si.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.de-de.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.uk-ua.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r64werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-cn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.bg-bg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppvIsvSubsystems64_arm64x.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\c2r32werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sl-si.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.zh-tw.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.tr-tr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.fi-fi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-ca.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hi-in.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\manageability.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2R32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vccorlib140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.pl-pl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RClient.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\vcruntime140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIntegration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.lv-lv.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.id-id.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeOEMPlugin.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\policy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.cs-cz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.he-il.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.es-mx.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.kk-kz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppvIsvSubsystems32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.tr-tr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ja-jp.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvSubsystemController.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\vcruntime140_1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ucrtbase.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVPolicy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-tw.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64_arm64x.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\offreg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvApi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVManifest.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVOrchestration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.th-th.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\officesvcmgr.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.de-de.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ms-my.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVFileSystemMetadata.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeC2RClient.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\MavInject32.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nb-no.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.hi-in.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\vccorlib140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lt-lt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.kk-kz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-es.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIntegration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeClickToRun.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.bg-bg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officeinventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140_1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hu-hu.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ar-sa.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ru-ru.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-gb.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.id-id.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.vi-vn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officesvcmgr.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvVirtualization.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVScripting.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ApiClient.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVManifest.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-multibyte-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.lt-lt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\msix.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ru-ru.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.fr-fr.dll (copy)Jump to dropped file
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeFile created: C:\Users\user\AppData\Local\Temp\5724.tmpJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\manageability.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ms-my.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\repoman.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeOEMPlugin.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ko-kr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nl-nl.dllJump to dropped file
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpFile created: C:\Users\Public\Music\script\609B.tmp (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\ApiClient.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-mx.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-xstate-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.hr-hr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ko-kr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvStreamingManager.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RUI.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sv-se.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvSubsystemController.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.fr-ca.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\InspectorOfficeGadget.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\IntegratedOffice.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVPolicy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2R64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.et-ee.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hr-hr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.es-es.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\officeinventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ar-sa.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\InspectorOfficeGadget.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sr-latn-rs.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.th-th.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sv-se.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.pt-br.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.zh-cn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\offreg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\policy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-localization-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.nl-nl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVShNotify.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RUI.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVOrchestration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.en-us.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RCom.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.hu-hu.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVFileSystemMetadata.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeC2RCom.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeFile created: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file

    Boot Survival

    barindex
    Powershell creates an autostart link
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() @{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Script
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnkJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AsMus.lnkJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpRegistry key monitored for changes: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData 1.16Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3625Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3387Jump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.it-it.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\concrt140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\MavInject32.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ja-jp.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pl-pl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.pt-pt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVScripting.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-environment-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\IntegratedOffice.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r32werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.da-dk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.vi-vn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.nb-no.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\c2r64werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-process-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVShNotify.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-xstate-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-synch-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sk-sk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-file-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fi-fi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.cs-cz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.da-dk.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.it-it.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\msvcp140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-stdio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2R64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVCatalog.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.el-gr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVCatalog.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvStreamingManager.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lv-lv.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-conio-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppvIsvSubsystems64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.en-gb.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.he-il.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\repoman.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\inventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\appvcleaner.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.et-ee.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-fr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-time-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ro-ro.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\appvcleaner.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvApi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\inventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msix.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-br.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.uk-ua.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvVirtualization.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\concrt140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sk-sk.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.pt-pt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\msvcp140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-private-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.el-gr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-us.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ro-ro.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sr-latn-rs.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.de-de.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sl-si.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.uk-ua.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\c2r64werhandler.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-cn.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.bg-bg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems32.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppvIsvSubsystems64_arm64x.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-file-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sl-si.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\c2r32werhandler.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.zh-tw.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.tr-tr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.fi-fi.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.fr-ca.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hi-in.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\manageability.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-filesystem-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2R32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vccorlib140.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.pl-pl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RClient.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIntegration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.lv-lv.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.id-id.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeOEMPlugin.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\policy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.cs-cz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.he-il.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.es-mx.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.kk-kz.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.tr-tr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppvIsvSubsystems32.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ja-jp.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvSubsystemController.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-processthreads-l1-1-1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\vcruntime140_1.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-runtime-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVPolicy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.zh-tw.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64_arm64x.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvApi.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\offreg.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVManifest.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVOrchestration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.th-th.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\officesvcmgr.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.de-de.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ms-my.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVFileSystemMetadata.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeC2RClient.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppvIsvSubsystems64.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\MavInject32.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nb-no.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\vccorlib140.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.hi-in.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.lt-lt.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-es.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.kk-kz.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIntegration.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.bg-bg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\vcruntime140_1.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officeinventory.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hu-hu.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ar-sa.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ru-ru.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.id-id.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.en-gb.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.vi-vn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\officesvcmgr.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVIsvVirtualization.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVScripting.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.lt-lt.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-multibyte-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVManifest.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\ApiClient.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\msix.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ru-ru.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.fr-fr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\manageability.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-utility-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ms-my.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\repoman.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.ko-kr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeOEMPlugin.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.nl-nl.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\ApiClient.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.es-mx.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-xstate-l2-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.hr-hr.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvStreamingManager.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ko-kr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RUI.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sv-se.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVIsvSubsystemController.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.fr-ca.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\InspectorOfficeGadget.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\IntegratedOffice.exeJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\AppVPolicy.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2R64.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.et-ee.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.hr-hr.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-timezone-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.es-es.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\officeinventory.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\InspectorOfficeGadget.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.ar-sa.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.sr-latn-rs.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.th-th.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\C2RINTL.sv-se.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.pt-br.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.zh-cn.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\offreg.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-locale-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\policy.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-core-localization-l1-2-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-convert-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.nl-nl.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVShNotify.exe (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-math-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RUI.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVOrchestration.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.en-us.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-string-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\C2RINTL.hu-hu.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEAOfficeC2RFE7AFEF1-BE96-403B-B0CA-53FF9CAF9886\OfficeC2RCom.dllJump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\AppVFileSystemMetadata.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\OfficeC2RCom.dll (copy)Jump to dropped file
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeDropped PE file which has not been started: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\09B11B1B-1BB3-43CC-A7E1-0FDA1EF2AEEA\api-ms-win-crt-heap-l1-1-0.dll (copy)Jump to dropped file
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5764Thread sleep count: 3625 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep count: 3387 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5532Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWare, Inc.
    Source: 5724.tmp, 00000002.00000003.1062873989.0000000001113000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
    Source: 5724.tmp, 00000002.00000003.1006725286.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1006036791.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 5724.tmp, 00000002.00000003.1005393640.00000000031E6000.00000004.00000020.00020000.00000000.sdmp, 609B.tmp, 00000003.00000003.1646382049.000002B66F456000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631570610.00000225FEBDA000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1303870562.00000225FEBE5000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1383784327.00000225FEBE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: OfficeClickToRun.exe, 00000009.00000003.1532532808.00000225FF367000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1631122069.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1632928049.00000225FF366000.00000004.00000020.00020000.00000000.sdmp, OfficeClickToRun.exe, 00000009.00000003.1378360893.00000225FF337000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU=
    Source: powershell.exe, 00000007.00000002.1360763552.000001F333429000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q
    Source: OfficeClickToRun.exe, 00000009.00000003.1263731363.00000225FEA0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeMemory allocated: page read and write | page guardJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command " $StartupFolder = [System.Environment]::GetFolderPath('Startup') $ExePath = 'C:\Users\Public\Music\script\609B.tmp' $ShortcutPath = Join-Path -Path $StartupFolder -ChildPath 'AsMus.lnk' $WScriptShell = New-Object -ComObject WScript.Shell $Shortcut = $WScriptShell.CreateShortcut($ShortcutPath) $Shortcut.TargetPath = $ExePath $Shortcut.WorkingDirectory = Split-Path -Parent $ExePath $Shortcut.WindowStyle = 7 $Shortcut.Description = 'AsMus' $Shortcut.Save() "Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -command " $startupfolder = [system.environment]::getfolderpath('startup') $exepath = 'c:\users\public\music\script\609b.tmp' $shortcutpath = join-path -path $startupfolder -childpath 'asmus.lnk' $wscriptshell = new-object -comobject wscript.shell $shortcut = $wscriptshell.createshortcut($shortcutpath) $shortcut.targetpath = $exepath $shortcut.workingdirectory = split-path -parent $exepath $shortcut.windowstyle = 7 $shortcut.description = 'asmus' $shortcut.save() "
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=cdn sourcetype=cdn o365homepremretail.excludedapps=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=true scenario=clientupdate
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=cdn sourcetype.16=cdn o365homepremretail.excludedapps.16=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=true
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18526.20168 mediatype=cdn sourcetype=cdn o365homepremretail.excludedapps=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=true scenario=clientupdateJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpProcess created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe officeclicktorun.exe platform=x86 culture=en-us productstoadd=o365homepremretail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18526.20168 mediatype.16=cdn sourcetype.16=cdn o365homepremretail.excludedapps.16=groove bitnessmigration=false deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=trueJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\609B.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -command " $startupfolder = [system.environment]::getfolderpath('startup') $exepath = 'c:\users\public\music\script\609b.tmp' $shortcutpath = join-path -path $startupfolder -childpath 'asmus.lnk' $wscriptshell = new-object -comobject wscript.shell $shortcut = $wscriptshell.createshortcut($shortcutpath) $shortcut.targetpath = $exepath $shortcut.workingdirectory = split-path -parent $exepath $shortcut.windowstyle = 7 $shortcut.description = 'asmus' $shortcut.save() "Jump to behavior
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
    Source: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\peYnzEuoAo.exeCode function: 0_2_00007FF6E77563EC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF6E77563EC
    Source: C:\Users\user\AppData\Local\Temp\5724.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Remote Access Functionality

    barindex
    Yara detected Hancitor
    Source: Yara matchFile source: Process Memory Space: peYnzEuoAo.exe PID: 6512, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Command and Scripting Interpreter    		12
    Registry Run Keys / Startup Folder    		11
    Process Injection    		3
    Masquerading    		11
    Input Capture    		1
    System Time Discovery    		Remote Services11
    Input Capture    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		1
    DLL Side-Loading    		12
    Registry Run Keys / Startup Folder    		1
    Modify Registry    		LSASS Memory1
    Query Registry    		Remote Desktop Protocol1
    Archive Collected Data    		1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Disable or Modify Tools    		Security Account Manager11
    Security Software Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Ingress Tool Transfer    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook121
    Virtualization/Sandbox Evasion    		NTDS1
    Process Discovery    		Distributed Component Object ModelInput Capture2
    Non-Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Process Injection    		LSA Secrets121
    Virtualization/Sandbox Evasion    		SSHKeylogging3
    Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Timestomp    		Cached Domain Credentials1
    Application Window Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync1
    File and Directory Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem24
    System Information Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1637508 Sample: peYnzEuoAo.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 48 52 star-azurefd-prod.trafficmanager.net 2->52 54 shed.dual-low.s-part-0032.t-0009.t-msedge.net 2->54 56 6 other IPs or domains 2->56 60 Yara detected Hancitor 2->60 62 Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation 2->62 64 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->64 9 peYnzEuoAo.exe 2 2->9         started        12 OpenWith.exe 18 8 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Local\Temp\609B.tmp, PE32+ 9->38 dropped 40 C:\Users\user\AppData\Local\Temp\5724.tmp, PE32 9->40 dropped 14 5724.tmp 9->14         started        16 609B.tmp 1 9->16         started        process6 dnsIp7 20 5724.tmp 19 36 14->20         started        50 141.98.10.54, 49686, 49689, 49690 HOSTBALTICLT Lithuania 16->50 34 C:\Users\Public\Music\...\609B.tmp (copy), PE32+ 16->34 dropped 23 powershell.exe 17 16->23         started        file8 process9 file10 66 Query firmware table information (likely to detect VMs) 20->66 26 OfficeClickToRun.exe 86 158 20->26         started        29 OfficeClickToRun.exe 20->29         started        36 C:\Users\user\AppData\Roaming\...\AsMus.lnk, MS 23->36 dropped 68 Powershell creates an autostart link 23->68 32 conhost.exe 23->32         started        signatures11 process12 dnsIp13 42 C:\Program Files\...\vcruntime140_1.dll, PE32+ 26->42 dropped 44 C:\Program Files\...\vcruntime140.dll, PE32+ 26->44 dropped 46 C:\Program Files\...\vccorlib140.dll, PE32+ 26->46 dropped 48 213 other files (none is malicious) 26->48 dropped 58 s-part-0044.t-0009.fb-t-msedge.net 13.107.253.72, 443, 49802, 49807 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->58 file14

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.