Edit tour

Windows Analysis Report
https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com

Overview

General Information

Sample URL:	https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com
Analysis ID:	1545850

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 5968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6760 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1984,i,4124401851218524483,4900856312814632520,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

HxOutlook.exe (PID: 6340 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca MD5: 6F8EAC2C377C8F16D91CB5AC8B8DBF5F)

HxAccounts.exe (PID: 7576 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca MD5: 6FEB00C9A2C3FF66230658B3012BAB6A)

WWAHost.exe (PID: 7524 cmdline: "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa MD5: 69318AE264A1E45ED570CEDCDC4B7B69)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49721 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: lx-capricorn-star-mail.qiye.163.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: logincdn.msftauth.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49721 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@20/16@7/166

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1984,i,4124401851218524483,4900856312814632520,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com"
Source: unknown	Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1984,i,4124401851218524483,4900856312814632520,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\WWAHost.exe "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: apphelp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: microsoft.applications.telemetry.windows.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msoimm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso40uiimm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso30imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.core.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.word.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso98imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso50imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso98imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.model.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxcomm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.networking.hostname.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.energy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.view.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hxshared.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.viewmodel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: clipc.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.resources.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: logoncli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: netutils.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userenv.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: profext.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hx.mail.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hxcalendar.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.remotedesktop.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winsta.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.profile.systemid.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.profile.retailinfo.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wininet.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: sspicli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winhttp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mswsock.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winnsi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winrttracing.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: schannel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: photometadatahandler.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ploptin.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userdataaccountapis.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.accountscontrol.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: accountsrt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: aphostclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: webservices.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: apphelp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxoutlook.model.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: microsoft.applications.telemetry.windows.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso30imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: propsys.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: netutils.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: office.ui.xaml.hxaccounts.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxcomm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: profapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.networking.hostname.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.energy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wldp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.accountscontrol.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vaultcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: userenv.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: profext.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: winrttracing.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxoutlook.resources.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msftedit.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: globinputhost.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wuceffects.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: ninput.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.phone.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: usermgrcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wwaext.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgehtml.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: chakra.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icuuc.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icuin.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rometadata.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icu.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.storage.applicationdata.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: uiamanager.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.graphics.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgemanager.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ninput.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgeiso.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msimtf.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: profext.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: twinapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wwaapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cloudexperiencehostcommon.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wincorlib.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wuceffects.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: webruntimemanager.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: threadpoolwinrt.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: microsoftaccountwamextension.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: microsoftaccountextension.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: aadauthhelper.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.web.http.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.web.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: webauthn.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windowscodecs.dll

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A6FF50C0-56C0-71CA-5732-BED303A59628}\InProcServer32

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe

Key opened: \REGISTRY\A\{1e51bf31-a6d1-2e48-9d74-80c5d2c2d321}\LocalState\HKEY_CURRENT_USER\Software\Microsoft\Office Test\Special\PerfImm

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE3FBA0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE40A10000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE40B10000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE448A0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE448E0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE45150000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE45270000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE555D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55750000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55A00000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55C40000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55C80000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55EE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE560B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE562C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56400000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56570000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56740000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56880000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE568C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56A20000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56E00000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56F00000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE57250000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE57370000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE59000000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE596A0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55360000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE55470000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE56BB0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE57970000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE59C00000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE579F0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE59D00000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE57A10000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE59E00000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6A230000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6A350000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6A3D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6A4D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE59F60000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6A990000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6A9B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6AAD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6AE00000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6AF60000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6AF80000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6AFA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6B1E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6B2E0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6B4E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6B5E0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6B700000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6B940000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6BB20000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6BB60000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6BC60000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6BDA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6BEA0000 memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6C200000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 1CE6C8D0000 memory commit \| memory reserve \| memory write watch

Source: C:\Windows\System32\WWAHost.exe

Memory allocated: page read and write | page guard

Source: C:\Windows\System32\WWAHost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
sni1gl.wpc.alphacdn.net	152.199.21.175	true	false	unknown
www.google.com	142.250.186.164	true	false	unknown
lx-capricorn-star-mail.qiye.163.com	8.210.52.23	true	false	unknown
logincdn.msftauth.net	unknown	unknown	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	unknown	United States	15169	GOOGLEUS	false
142.250.186.78	unknown	United States	15169	GOOGLEUS	false
8.210.52.23	lx-capricorn-star-mail.qiye.163.com	Singapore	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
52.109.89.18	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.42.16	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.227	unknown	United States	15169	GOOGLEUS	false
142.251.168.84	unknown	United States	15169	GOOGLEUS	false
20.189.173.25	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
20.190.160.22	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.186.164	www.google.com	United States	15169	GOOGLEUS	false
142.250.186.131	unknown	United States	15169	GOOGLEUS	false
152.199.21.175	sni1gl.wpc.alphacdn.net	United States	15133	EDGECASTUS	false
142.250.184.206	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545850
Start date and time:	2024-10-31 07:18:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@20/16@7/166

Warnings

Exclude process from analysis (whitelisted): HxTsr.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.186.131, 142.250.186.78, 142.251.168.84, 34.104.35.123, 52.109.89.18, 13.107.5.88, 199.232.214.172, 20.73.194.208, 13.107.42.16
Excluded domains from analysis (whitelisted): accounts.google.com, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, outlookmobile-office365-tas-msedge-net.e-0009.e-msedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, e-0009.e-msedge.net, weu-azsc-config.officeapps.live.com, clients2.google.com, edgedl.me.gvt1.com, outlookmobile-office365-tas.msedge.net, atm-settingsfe-prod-geo2.trafficmanager.net, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, config.officeapps.live.com, settings-prod-weu-2.westeurope.cloudapp.azure.com, officeclient.microsoft.com, clients.l.google.com, settings.data.microsoft.com, l-0007.l-msedge.net, wu-b-net.trafficmanager.net, config.edge.skype.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: bg.microsoft.map.fastly.net
VT rate limit hit for: lx-capricorn-star-mail.qiye.163.com
VT rate limit hit for: www.google.com

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": true, "brand_spoofing_attempt": false, "third_party_hosting": false }
URL: URL: https://lx-capricorn-star-mail.qiye.163.com

Input

Output

URL: Model: claude-3-5-sonnet-latest

{
    "typosquatting": false,
    "unusual_query_string": false,
    "suspicious_tld": false,
    "ip_in_url": false,
    "long_subdomain": true,
    "malicious_keywords": false,
    "encoded_characters": false,
    "redirection": false,
    "contains_email_address": false,
    "known_domain": true,
    "brand_spoofing_attempt": false,
    "third_party_hosting": false
}

URL: URL: https://lx-capricorn-star-mail.qiye.163.com

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\AOYVKG3S\2_11d9e3bcdfede9ce5ce5ace2d129f1c4[1].svg

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1864
Entropy (8bit):	5.222032823730197
Encrypted:	false
SSDEEP:
MD5:	BC3D32A696895F78C19DF6C717586A5D
SHA1:	9191CB156A30A3ED79C44C0A16C95159E8FF689D
SHA-256:	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
SHA-512:	8D4F38907F3423A86D90575772B292680F7970527D2090FC005F9B096CC81D3F279D59AD76EAFCA30C3D4BBAF2276BBAA753E2A46A149424CF6F1C319DED5A64
Malicious:	false
Reputation:	unknown
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="1920" height="1080" fill="none"><g opacity=".2" clip-path="url(#E)"><path d="M1466.4 1795.2c950.37 0 1720.8-627.52 1720.8-1401.6S2416.77-1008 1466.4-1008-254.4-380.482-254.4 393.6s770.428 1401.6 1720.8 1401.6z" fill="url(#A)"/><path d="M394.2 1815.6c746.58 0 1351.8-493.2 1351.8-1101.6S1140.78-387.6 394.2-387.6-957.6 105.603-957.6 714-352.38 1815.6 394.2 1815.6z" fill="url(#B)"/><path d="M1548.6 1885.2c631.92 0 1144.2-417.45 1144.2-932.4S2180.52 20.4 1548.6 20.4 404.4 437.85 404.4 952.8s512.276 932.4 1144.2 932.4z" fill="url(#C)"/><path d="M265.8 1215.6c690.246 0 1249.8-455.595 1249.8-1017.6S956.046-819.6 265.8-819.6-984-364.005-984 198-424.445 1215.6 265.8 1215.6z" fill="url(#D)"/></g><defs><radialGradient id="A" cx="0" cy="0" r="1" gradientUnits="userSpaceOnUse" gradientTransform="translate(1466.4 393.6) rotate(90) scale(1401.6 1720.8)"><stop stop-color="#107c10"/><stop offset="1" stop-color="#c4c4c4" stop-opacity="0"/></radialGradient><r

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\AOYVKG3S\Converged_v22057_mG-wAdV--_sq1kXms675SA2[1].css

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	ASCII text, with very long lines (61112)
Category:	dropped
Size (bytes):	111517
Entropy (8bit):	5.283488463851382
Encrypted:	false
SSDEEP:
MD5:	986FB001D57EFBFB2AD645E6B3AEF948
SHA1:	A1590F0BC684D395A6179FB915DEECA3A9321D89
SHA-256:	DE304CB4D64E769DD16A7B4500603205D2606FE0877DD046460C7B8DF06A31B3
SHA-512:	0C5599773904A45552E241E9E7723BD6CDC0A3B71A05145553942E27450E8E706C128C918FC6B5599F9BB55EEA1FA6B9801D78FD4D95292E24709CD90FB9A7CC
Malicious:	false
Reputation:	unknown
Preview:	/! Copyright (C) Microsoft Corporation. All rights reserved. /./*!.------------------------------------------- START OF THIRD PARTY NOTICE -----------------------------------------..This file is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Microsoft product. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise...//-----------------------------------------------------------------------------.twbs-bootstrap-sass (3.3.0).//-----------------------------------------------------------------------------..The MIT License (MIT)..Copyright (c) 2013 Twitter, Inc..Permission is hereby granted, free of charge, to any perso

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\B3UQP68X\ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2[1].js

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (32359)
Category:	dropped
Size (bytes):	38737
Entropy (8bit):	5.172420373193738
Encrypted:	false
SSDEEP:
MD5:	C4A2D8A4F477713CF51B6ABE8BB8B42B
SHA1:	82A09AF90939776FAB8AB2CF6ABDC793922A64F2
SHA-256:	00F747E1C02B1B5FE4A3B149DD9E83E766AF2DCBA989B0E7D2CDD347E8541D6C
SHA-512:	9ECE505FDD60E7499DFB0D526D3406F6EB89EB399EBD74EC85EF049B56C865D187AAB11D94987438D771E1A1EAB3A55AE378967DA209D36EC8C82E16ABC1E3D9
Malicious:	false
Reputation:	unknown
Preview:	!function(e){function o(i){if(n[i])return n[i].exports;var t=n[i]={exports:{},id:i,loaded:!1};return e[i].call(t.exports,t,t.exports,o),t.loaded=!0,t.exports}var n={};return o.m=e,o.c=n,o.p="",o(0)}([function(e,o,n){var i=n(1),t=n(5),r=n(4),a=t.StringsVariantId;i.registerSource("str",function(e,o){switch(e.MOBILE_STR_Header_Brand="Microsoft account",e.CT_STR_CookieBanner_Link_AriaLabel="Learn more about Microsoft's Cookie Policy",o.aF){case a.CombinedSigninSignup:e.WF_STR_HeaderDefault_Title="Hi there!";break;case a.CombinedSigninSignupV2WelcomeTitle:e.WF_STR_HeaderDefault_Title="Welcome";break;default:e.WF_STR_HeaderDefault_Title=o.DT}if(o.C&&o.C.friendlyAppName){var n=o.Co?"to continue to {0}":"Continue to {0}";e.WF_STR_App_Title=r.format(n,o.C.friendlyAppName)}switch(o.aF){case a.SkypeMoveAlias:e.WF_STR_Default_Desc="To continue, verify the password for your Microsoft account.";break;case a.CombinedSigninSignup:case a.CombinedSigninSignupDefaultTitle:e.WF_STR_Default_Desc='This work

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\B3UQP68X\WinJS_vcvx4TydCFioSeM4NLxTDw2[1].js

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	Unicode text, UTF-8 text, with very long lines (32032), with CRLF line terminators
Category:	dropped
Size (bytes):	168824
Entropy (8bit):	5.403041370649555
Encrypted:	false
SSDEEP:
MD5:	BDCBF1E13C9D0858A849E33834BC530F
SHA1:	5CFEBACFF659D5304E551EE5CB856557DA4209DD
SHA-256:	3989FE38739BBA3E3DD9D60C4364D9DCCA55F44A1B1786DE77F97F17CA0EF21B
SHA-512:	4EA4FE3058DBDCF3E4A876F30624CA9D7E3B98AE60A2DFD28892D0615674DFE95229AA65AD25DB2C0E2BAFF988EED7114128118156EE6AE1910B9E6C7CF6E513
Malicious:	false
Reputation:	unknown
Preview:	/*! ------------------------------------------- START OF THIRD PARTY NOTICE -----------------------------------------....This file is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Microsoft product. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise. ....WinJS....Copyright (c) Microsoft Corporation. All Rights Reserved. Licensed under the MIT License. See License.txt in the project root for license information.....Provided for Informational Purposes Only....MIT License ....Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Softw

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\OPITYR77\oneDs_f2e0f4a029670f10d892[1].js

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	190152
Entropy (8bit):	5.348678574819375
Encrypted:	false
SSDEEP:
MD5:	4877EFC88055D60953886EC55B04DE34
SHA1:	2341B026A3E2A3B01AFA1A39D1706840D75E09B3
SHA-256:	8405362EB8F09DF13AE244DE155B51B1577274673D9728B6C81CD0278A63C8B0
SHA-512:	625844EDC37594D5C2F7622BD1B59278BF68ABB2FA22476C56826433C961C7B1924858A7588F8B6284D3C5AC8738ECB895EEC949DE18667A98C04A59CB03DAC0
Malicious:	false
Reputation:	unknown
Preview:	(window.telemetry_webpackJsonp=window.telemetry_webpackJsonp\|\|[]).push([[2],[,,,function(e,t,n){"use strict";n.r(t),n.d(t,"ValueKind",(function(){return r.e})),n.d(t,"EventLatency",(function(){return r.a})),n.d(t,"EventPersistence",(function(){return r.b})),n.d(t,"TraceLevel",(function(){return r.d})),n.d(t,"AppInsightsCore",(function(){return i.a})),n.d(t,"BaseCore",(function(){return d})),n.d(t,"_ExtendedInternalMessageId",(function(){return r.f})),n.d(t,"EventPropertyType",(function(){return r.c})),n.d(t,"ESPromise",(function(){return g})),n.d(t,"ESPromiseScheduler",(function(){return C})),n.d(t,"ValueSanitizer",(function(){return I})),n.d(t,"NotificationManager",(function(){return E.a})),n.d(t,"BaseTelemetryPlugin",(function(){return S.a})),n.d(t,"ProcessTelemetryContext",(function(){return N.a})),n.d(t,"MinChannelPriorty",(function(){return w.a})),n.d(t,"EventsDiscardedReason",(function(){return P.a})),n.d(t,"DiagnosticLogger",(function(){return c.a})),n.d(t,"LoggingSeverity",(fun

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\OPITYR77\signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6[1].svg

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	SVG Scalable Vector Graphics image
Category:	modified
Size (bytes):	1592
Entropy (8bit):	4.205005284721148
Encrypted:	false
SSDEEP:
MD5:	4E48046CE74F4B89D45037C90576BFAC
SHA1:	4A41B3B51ED787F7B33294202DA72220C7CD2C32
SHA-256:	8E6DB1634F1812D42516778FC890010AA57F3E39914FB4803DF2C38ABBF56D93
SHA-512:	B2BBA2A68EDAA1A08CFA31ED058AFB5E6A3150AABB9A78DB9F5CCC2364186D44A015986A57707B57E2CC855FA7DA57861AD19FC4E7006C2C239C98063FE903CF
Malicious:	false
Reputation:	unknown
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="48" height="48" viewBox="0 0 48 48"><defs><style>.a{fill:none;}.b{fill:#404040;}</style></defs><rect class="a" width="48" height="48"/><path class="b" d="M40,32.578V40H32V36H28V32H24V28.766A10.689,10.689,0,0,1,19,30a10.9,10.9,0,0,1-5.547-1.5,11.106,11.106,0,0,1-2.219-1.719A11.373,11.373,0,0,1,9.5,24.547a10.4,10.4,0,0,1-1.109-2.625A11.616,11.616,0,0,1,8,19a10.9,10.9,0,0,1,1.5-5.547,11.106,11.106,0,0,1,1.719-2.219A11.373,11.373,0,0,1,13.453,9.5a10.4,10.4,0,0,1,2.625-1.109A11.616,11.616,0,0,1,19,8a10.9,10.9,0,0,1,5.547,1.5,11.106,11.106,0,0,1,2.219,1.719A11.373,11.373,0,0,1,28.5,13.453a10.4,10.4,0,0,1,1.109,2.625A11.616,11.616,0,0,1,30,19a10.015,10.015,0,0,1-.125,1.578,10.879,10.879,0,0,1-.359,1.531Zm-2,.844L27.219,22.641a14.716,14.716,0,0,0,.562-1.782A7.751,7.751,0,0,0,28,19a8.786,8.786,0,0,0-.7-3.5,8.9,8.9,0,0,0-1.938-2.859A9.269,9.269,0,0,0,22.5,10.719,8.9,8.9,0,0,0,19,10a8.786,8.786,0,0,0-3.5.7,8.9,8.9,0,0,0-2.859,1.938A9.269,9.269,0,0,0,

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\Q570FTPW\microsoft_logo_564db913a7fa0ca42727161c6d031bef[1].svg

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	3651
Entropy (8bit):	4.094801914706141
Encrypted:	false
SSDEEP:
MD5:	EE5C8D9FB6248C938FD0DC19370E90BD
SHA1:	D01A22720918B781338B5BBF9202B241A5F99EE4
SHA-256:	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
SHA-512:	C77215B729D0E60C97F075998E88775CD0F813B4D094DC2FDD13E5711D16F4E5993D4521D0FBD5BF7150B0DBE253D88B1B1FF60901F053113C5D7C1919852D58
Malicious:	false
Reputation:	unknown
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0,0,1,.419-.967,1.413,1.413,0,0,1,1-.39,1.392,1.392,0,0,1,1.02.4,1.3,1.3,0,0,1,.4.958,1.248,1.248,0,0,1-.414.953,1.428,1.428,0,0,1-1.01.385A1.4,1.4,0,0,1,47.25,6.6a1.261,1.261,0,0,1-.409-.948M49.41,18.4H47.081V8.507H49.41Zm7.064-1.694a3.213,3.213,0,0,0,1.145-.241,4.811,4.811,0,0,0,1.155-.635V18a4.665,4.665,0,0,1-1.266.481,6.886,6.886,0,0,1-1.554.164,4.707,4.707,0,0,1-4.918-4.908,5.641,5.641,0,0,1,1.4-3.932,5.055,5.055,0,0,1,3.955-1.545,5.414,5.414,0,0,1,1.324.168,4.431,4.431,0,0,1,1.063.39v2.233a4.763,4.763,0,0,0-1.1-.611,3.184,3.184,0,0,0-1.15-.217,2.919,2.919,0,0,0-2.223.9,3.37,3.37,0,0,0-.847,2.416,3.216,3.216,0,0,0,.813,2.338,2.936,2.936,0,0,0,2.209.837M65.4,8.343a2.952,2.952,0,0,1,.5.039,2.1,2.1,0,0,1,.375.1v2.358a2.04,2.04,0,0,0-.

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RLLV1W2J\microsoft.windows[1].xml

Download File

Process:	C:\Windows\System32\WWAHost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	13
Entropy (8bit):	2.469670487371862
Encrypted:	false
SSDEEP:
MD5:	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5
SHA1:	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966
SHA-256:	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
SHA-512:	6BE8CEC7C862AFAE5B37AA32DC5BB45912881A3276606DA41BF808A4EF92C318B355E616BF45A257B995520D72B7C08752C0BE445DCEADE5CF79F73480910FED
Malicious:	false
Reputation:	unknown
Preview:	<root></root>

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\16AD7431-2A52-454E-BCDF-097399330E6C

Download File

Process:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	177048
Entropy (8bit):	5.293869309207457
Encrypted:	false
SSDEEP:
MD5:	0B4340BA8671B53CAF10F38E14D7FC53
SHA1:	3FA30C05AD584881C9E9750441CEA2F3C37F1A5C
SHA-256:	2547022428FA82FA06BB5E0B12D0CD75942B36B7E8B22BCF5587DA406651A985
SHA-512:	A5E97D920CC5C93971F578ABC9D731352B1342371C43BEE1CE4198E7D2E6E0940614D1F979ECAEEC1E5653D02A6913E6C9546BE885787915F7D38DE369712B78
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-31T06:18:38">.. Build: 16.0.18222.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 05:18:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9745298638509365
Encrypted:	false
SSDEEP:
MD5:	D7D361E5018D03AA180CA08D88DF2896
SHA1:	5429F1F9927C651E58A82FFDA1C2F8F3568EA216
SHA-256:	4ABBDC3DA6680E1C6B3E0794B06F216647F0A7E68643450C83BCFA6FF82D1FA6
SHA-512:	74D830D7171D0B6FF7678831EA7178231D719E56BAE8003C175CEBAEFF7D263C2E0912FDFB34125884F3B8148333B92DF660EE1B4A96BC3DC588885B5174DD47
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....y.<.\+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I_YI2....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_YP2....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V_YP2....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V_YP2..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V_YR2...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............3......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 05:18:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.9893838170657974
Encrypted:	false
SSDEEP:
MD5:	BC5E1EFFAD0ED050D6D408D43B60C00C
SHA1:	9D74310B71BACBD3D043093B61A0685492972442
SHA-256:	1CB3BD9F6E3DE25618BBC6FA54259AA82885BDBA112AE7BA9387AE22BF24FB2D
SHA-512:	6A1FC30338870F21897590D7D4380B7B9AE42394BA941A078E29D4B272661AD881622C549E78E0CFF5DEB982E3E54C93EAD54D66A54638374D8F7D32A112CBC5
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......1.\+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I_YI2....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_YP2....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V_YP2....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V_YP2..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V_YR2...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............3......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.0011614340026105
Encrypted:	false
SSDEEP:
MD5:	0F33123EC555E07EE02E3B96524BF09C
SHA1:	9379ED438664D8F891ACA0D2B6A1CB3521F23919
SHA-256:	41493BA5B5CFDF2D74DBAAC51FA78FC29E62865DF27329C6C7FF2AA3EEBE5C32
SHA-512:	FB904142FA8161D5637C43825BD044870C0F907ABD44620AA84FBE15B78574303F5FC3733CE1AFC10D00C129CA0B4A1747B8EE4873209AA7FA4B4DAF40159665
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I_YI2....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_YP2....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V_YP2....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V_YP2..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............3......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 05:18:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988718606549099
Encrypted:	false
SSDEEP:
MD5:	8B0620D6DEE9F3724BC63CEF5C8152A2
SHA1:	23C9A04C0F8B9F4A7C9D13A8A4CEB148342F6E5D
SHA-256:	76C52003B7CA6DD06446E0958A1C13FAF0D4546D0D937119EB30004644C46405
SHA-512:	263C1BD456651482EAD84D6439B0BDBEC4E5FB51E763C70B049A37A22849E1100A1385DAC5760B0247197D85FA6512A28C64B85ED935EC768CBFB4CD48CFFB9F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......\+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I_YI2....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_YP2....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V_YP2....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V_YP2..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V_YR2...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............3......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 05:18:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9756034732297105
Encrypted:	false
SSDEEP:
MD5:	EB706069B28761248CFA3DC8E91D49CF
SHA1:	48FD5C023D22EEBA73B8A80E77FD41B79603450E
SHA-256:	B9A7DE11F0B2B9E412C00549D2854A44BF9FB1B10A17C12F5B4E3FD2BC27034A
SHA-512:	DEC31C4F4D7ACEC17105DFC52B64202A00E445818E13631F9AB90F5C74147AD4E5CDCDA7A33C38C10CBDD003807C9F452266A0BE06241160C245FD4138864D26
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....6.\+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I_YI2....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_YP2....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V_YP2....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V_YP2..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V_YR2...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............3......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 05:18:34 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9871134051404775
Encrypted:	false
SSDEEP:
MD5:	B9C0BF71FFD4A539F7858B77E831094D
SHA1:	14171694E9E3484808F1C757BD1D641DCB16EE99
SHA-256:	2AAE2D71042C08315A67AD3F139A7C19B9B0FFC83A2A404C56CF558EDDA40177
SHA-512:	4FD1DF8EA44151683D587B2F0B6F02D6442C708393839DDB790B88B30DF355584D0063E4E575E255EC831E001FCA2D0A1CD583BC86CE23746EA0BDE05F5CC551
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....=!.\+..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I_YI2....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V_YP2....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V_YP2....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V_YP2..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V_YR2...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............3......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Static File Info

⊘No static file info

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\AOYVKG3S\2_11d9e3bcdfede9ce5ce5ace2d129f1c4[1].svg

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\AOYVKG3S\Converged_v22057_mG-wAdV--_sq1kXms675SA2[1].css

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\B3UQP68X\ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2[1].js

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\B3UQP68X\WinJS_vcvx4TydCFioSeM4NLxTDw2[1].js

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\OPITYR77\oneDs_f2e0f4a029670f10d892[1].js

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\OPITYR77\signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6[1].svg

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\Q570FTPW\microsoft_logo_564db913a7fa0ca42727161c6d031bef[1].svg

C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RLLV1W2J\microsoft.windows[1].xml

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\16AD7431-2A52-454E-BCDF-097399330E6C

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Static File Info

Windows Analysis Report
https://lx-capricorn-star-mail.qiye.163.com/api/j/re?c=mailto%3Asara%40dekcnc.com