Windows Analysis Report
000001 (5).jpg

Overview

General Information

Sample name:	000001 (5).jpg
Analysis ID:	1566841
MD5:	8379568464d8a4253eb8623701ad8c04
SHA1:	6b457dadfcc171b39fcb2028b4e51aef8f61322f
SHA256:	326390f2e71521df5d9f2e6f49dcb51ec0119faa146c48fe03a78c55f386913f
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the volume information (name, serial number etc) of a device

Uses a known web browser user agent for HTTP communication

Classification

Signatures

Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49711 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 152.199.21.175 152.199.21.175

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Origin: https://login.live.comReferer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: lgincdnvzeuno.azureedge.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Origin: https://login.live.comReferer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: lgincdnvzeuno.azureedge.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: logincdn.msftauth.net

Source: WWAHost.exe, 0000000D.00000003.1974444710.000002402D2BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/2005125-21
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: WWAHost.exe, 0000000D.00000002.2127909312.0000024055CFD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C9000.00000004.00000020.00020000.00000000.sdmp, Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js.13.dr	String found in binary or memory: http://knockoutjs.com/
Source: WWAHost.exe, 0000000D.00000003.1489501355.000002402D230000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2012513223.000002402D710000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2002316240.000002402D1B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/purpose
Source: WWAHost.exe, 0000000D.00000003.1490172665.000002402D112000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://requirejs.org/docs/errors.html#
Source: WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://requirejs.org/docs/errors.html#n
Source: WWAHost.exe, 0000000D.00000002.2027005517.000002403E26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: WWAHost.exe, 0000000D.00000002.2027005517.000002403E26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policytory
Source: WWAHost.exe, 0000000D.00000002.2027005517.000002403E26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/.dll
Source: WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5BC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.json.org/json2.js
Source: WWAHost.exe, 0000000D.00000002.2127909312.0000024055CFD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C9000.00000004.00000020.00020000.00000000.sdmp, Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js.13.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory-ppe.windowsazure.com/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.windowsazure.cn/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.windowsazure.com/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.windowsazure.us/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/
Source: WWAHost.exe, 0000000D.00000003.1543648028.000002403FA60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2063597888.000002403FA5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/ChangePassword?uaid=b62f4fbb6d6345d6b8e48b4581689b9969adc3c768bd4dc08c19416
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533090323.0000024040B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/ResetPassword.aspx?id=80604&platform=Windows10&client_id=S-1-15-2-222695769
Source: WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/query.aspx?uaid=b62f4fbb6d6345d6b8e48b4581689b99&mkt=EN-GB&lc=2057&id=80604
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A1E000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2052563822.000002403F3D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/username/recover?id=80604&mkt=EN-GB&lc=2057&uaid=b62f4fbb6d6345d6b8e48b4581
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msauth.net
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msauth.net/
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msftauth.net
Source: WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999548030.000002402D096000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msftauth.net/
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/
Source: WWAHost.exe, 0000000D.00000002.2000454561.000002402D113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/:Thu
Source: WWAHost.exe, 0000000D.00000003.1550101738.000002403F5AC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/https://lgincdnmsftuswe2.azureedge.net/https://acctcdnvzeuno.
Source: WWAHost.exe, 0000000D.00000002.2000454561.000002402D113000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnvzeuno.azureedge.net/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buy.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buy.live.com/
Source: WWAHost.exe, 0000000D.00000002.2127909312.0000024055CFD000.00000004.00000020.00020000.00000000.sdmp, Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js.13.dr	String found in binary or memory: https://github.com/douglascrockford/JSON-js
Source: WWAHost.exe, 0000000D.00000002.2086459255.0000024040FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.analytics-web-2.min.js
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
Source: WWAHost.exe, 0000000D.00000003.1550101738.000002403F5AC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/:Mon
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1995695601.0000024029400000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1974444710.000002402D2BD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csshttps://lginc
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csshttps://login
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.cssly
Source: WWAHost.exe, 0000000D.00000002.1995695601.0000024029400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csspz
Source: WWAHost.exe, 0000000D.00000003.1543648028.000002403FA60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2063597888.000002403FA5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/https://lgincdnmsftuswe2.azureedge.net/b62f4fbb6d6345d6b8e48b458
Source: WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/j
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.2186347937.0000024057956000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2186764883.0000024057979000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2186347937.0000024057960000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1926279426.0000024057920000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2187972994.00000240579C2000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2205816020.00000240586F9000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1996597640.0000024029462000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2129808328.0000024055DD6000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1815578119.000002403F9FF000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1702955783.000002403F9F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/-
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//js/cloudDomainJoin.js
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/CDoc.TopLevelNavigation
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2187972994.00000240579C2000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/GetCredentialType.srf?id=80604&platform=Windows10&id=80604&clientid=S-1-15-2-
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/GetSessionState.srf?platform=Windows10&id=80604&clientid=S-1-15-2-2226957697-
Source: WWAHost.exe, 0000000D.00000002.2094734352.000002404519B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/Windows.UI.WebUI.SuspendingEventArgs
Source: WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=b62f4fbb6d6345d6b8e48b4581689b99&mkt=EN-GB&lc=2057
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=b62f4fbb6d6345d6b8e48b4581689b99&mkt=EN-GB&lc=2057ht
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/h
Source: WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-GB&lc=2057&uaid=b62f4fbb6d6345d6b8e48b4581689b99
Source: WWAHost.exe, 0000000D.00000002.2187877759.00000240579B1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533090323.0000024040B6B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1985552175.00000238267E3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2094236482.0000024045136000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf%3fplatform%3dWindows10%26id%3d80604%26clientid%3dS-1
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clienti
Source: WWAHost.exe, 0000000D.00000003.1533090323.0000024040B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?platform=Windows10&id=80604&clientid=S-1-
Source: WWAHost.exe, 0000000D.00000003.1543568434.000002403F3D9000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2052563822.000002403F3D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?platform=Windows10&id=80604&clientid=S-1-15-2-222695
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2114441817.00000240558D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/post.srf?mkt=en-GB&platform=Windows10&id=80604&clientid=S-1-15-2-222
Source: WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/t/
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/t;
Source: WWAHost.exe, 0000000D.00000002.2024208970.000002403E166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline-ppe.com/WebApp/NextGenCredentials/
Source: WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/CloudDomainJoin/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/ConnectAADAccount/ion4.-3&
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/DeviceDisplayName/
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/DeviceSubscription/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/NextGenCredentials/
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/OtaDomainJoin/
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/OtaDomainJoin/https://login.microsoftonline.com/WebApp/Auto
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/OtaDomainJoin/https://login.microsoftonline.com/WebApp/Wind
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/UnifiedEnrollment/
Source: WWAHost.exe, 0000000D.00000002.2024589629.000002403E170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/WindowsLogon/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.de/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.de/ost
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.us/ost
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.partner.microsoftonline.cn/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/AutoPilot/A
Source: WWAHost.exe, 0000000D.00000002.2015226443.000002402D810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/CloudDomainJoin/https://login.microsoftonline.com/WebApp/OtaDom
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/ConnectAADAccount/https://login.windows-ppe.net/WebApp/CloudDom
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/DeviceDisplayName/ms-appx-web://microsoft.cloudexperiencehost.t
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/DeviceSubscription/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/DeviceSubscription/tmlms-appx://microsoft.windows.cloudexperien
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/NextGenCredentials/
Source: WWAHost.exe, 0000000D.00000002.2015226443.000002402D810000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/OtaDomainJoin/
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/OtaDomainJoin/https://login.windows-ppe.net/WebApp/WindowsLogon
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/UnifiedEnrollment/
Source: WWAHost.exe, 0000000D.00000002.2024589629.000002403E170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/WindowsLogon/
Source: WWAHost.exe, 0000000D.00000002.1999548030.000002402D096000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1490172665.000002402D106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1635219498.000002403DC6C000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msauth.net/
Source: WWAHost.exe, 0000000D.00000002.2059475704.000002403F7F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msauth.net/https://logincdn.msftauth.net/Windows.Storage.ApplicationData
Source: WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1975817843.0000024040AEC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1635219498.000002403DC6C000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A1E000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000.30405.9/agreements/privacy/en-gb/privacy.txt?x=16.000.30405.9
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000.30405.9/agreements/tou/en-oed/TOU.txt?x=16.000.30405.9
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266C1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css3
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css3l
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css8
Source: WWAHost.exe, 0000000D.00000003.1745438737.000002405843F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csshttps://lgincdnvzeu
Source: WWAHost.exe, 0000000D.00000002.1998933578.000002402D049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csstware
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.cssx
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.cssy
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5CD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2066762633.0000024040243000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2066373568.0000024040220000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2130067460.0000024055DF3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040AAB000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2057040675.000002403F5D5000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1997618060.00000240294CB000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999362547.000002402D081000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5CC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2063597888.000002403FA5D000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2188106991.00000240579CE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5CC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js2.css
Source: WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/
Source: WWAHost.exe, 0000000D.00000002.2094236482.0000024045121000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2136356977.0000024056020000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1771492777.0000024058438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1
Source: WWAHost.exe, 0000000D.00000002.1997618060.00000240294CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b3
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80
Source: WWAHost.exe, 0000000D.00000002.2094236482.0000024045121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031
Source: WWAHost.exe, 0000000D.00000002.2108189703.0000024045780000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2094236482.0000024045121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ea19b2112f4dfd8e90b4505ef7dcb
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_white_b71098d9cfa668f68191671
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_white_f024dc0422bf3c64a9cb960
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2160120603.0000024056980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/picker_account_msa_3b879963b4f70829fd7a25cbc
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2160120603.0000024056980000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999362547.000002402D081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/picker_account_msa_7a63b3ce03943629f052226aa
Source: WWAHost.exe, 0000000D.00000002.2205816020.00000240586E6000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1997618060.00000240294CB000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1771492777.0000024058438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab
Source: WWAHost.exe, 0000000D.00000002.2056378952.000002403F5CD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2066373568.0000024040220000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5CC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js(
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js8
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.jsh
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.jsx
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2086459255.0000024040FA0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2188106991.00000240579CE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js3
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.jsIvD7nbPy0DBHw2.js-i
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.jss
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems/edit/20742103
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems/edit/20742115
Source: WWAHost.exe, 0000000D.00000003.1489281122.000002402D0C3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2002316240.000002402D1B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems?id=21748634&_a=edit
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1974444710.000002402D297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems?id=8705838&_a=edit)
Source: WWAHost.exe, 0000000D.00000002.2000669273.000002402D128000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1490172665.000002402D106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mysite.com/Apps/App1
Source: WWAHost.exe, 0000000D.00000002.2000669273.000002402D128000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1490172665.000002402D106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mysite.com/Apps/App2
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oloobe.officeapps.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oloobe.officeapps.live.com/
Source: WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live-int.com/windows/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/windows/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://password.ccsctp.com/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwordreset.activedirectory.windowsazure.cn/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwordreset.microsoftonline.com/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdx.microsoft-int.com/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdx.microsoft-ppe.com/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/
Source: WWAHost.exe, 0000000D.00000002.2185852902.0000024057934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup?platform=Windows10&id=80604&clientid=S-1-15-2-2226957697-3030467180-2
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tip.passwordreset.microsoftonline.com/
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/dhpP
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/mmx
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ntp
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ntpC:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49711 version: TLS 1.2

Source: classification engine

Classification label: clean2.winJPG@2/16@1/1

Source: C:\Windows\System32\WWAHost.exe

File created: C:\Users\user\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RLLV1W2J\microsoft.windows[1].xml

Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe "C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe" -ServerName:App.AppX20qnn98vxw5bhxrjtb1f6rggecb2k15a.mca
Source: unknown	Process created: C:\Windows\System32\WWAHost.exe "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wwaext.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgehtml.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: chakra.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icuuc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icuin.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgemanager.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgeiso.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wwaapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cloudexperiencehostcommon.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: webruntimemanager.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: microsoftaccountwamextension.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: microsoftaccountextension.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: aadauthhelper.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.web.http.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: webauthn.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: globinputhost.dll	Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240283A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240291B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240292B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402D440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402D480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402D940000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402DA60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DDC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DF00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DF60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E440000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E480000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E6D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E8A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403EAB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403EBF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403ED60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403EF20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F020000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F060000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F6D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403FB10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24040860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24040EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402DB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DC60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045200000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24040280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240402A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055A50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055A70000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: WWAHost.exe, 0000000D.00000002.1981495973.0000023826673000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXT9-VMWare
Source: WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
152.199.21.175	sni1gl.wpc.alphacdn.net	United States		15133	EDGECASTUS	false

Contacted Domains

Name	IP	Active
sni1gl.wpc.alphacdn.net	152.199.21.175	true
logincdn.msftauth.net	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://logincdn.msftauth.net/shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif	false	high
https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js	false	high
https://logincdn.msftauth.net/shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif	false	high
https://logincdn.msftauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg	false	high
https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg	false	high
https://logincdn.msftauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js	false	high
https://logincdn.msftauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2.js	false	high
https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css	false	high
https://logincdn.msftauth.net/shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg	false	high

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\72HOFR41\2_11d9e3bcdfede9ce5ce5ace2d129f1c4[1].svg	SVG Scalable Vector Graphics image	BC3D32A696895F78C19DF6C717586A5D	9191CB156A30A3ED79C44C0A16C95159E8FF689D	0E88B6FCBB8591EDFD28184FA70A04B6DD3AF8A14367C628EDD7CABA32E58C68
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\72HOFR41\Converged_v22057_mG-wAdV--_sq1kXms675SA2[1].css	ASCII text, with very long lines (61112)	986FB001D57EFBFB2AD645E6B3AEF948	A1590F0BC684D395A6179FB915DEECA3A9321D89	DE304CB4D64E769DD16A7B4500603205D2606FE0877DD046460C7B8DF06A31B3
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\72HOFR41\microsoft_logo_564db913a7fa0ca42727161c6d031bef[1].svg	SVG Scalable Vector Graphics image	EE5C8D9FB6248C938FD0DC19370E90BD	D01A22720918B781338B5BBF9202B241A5F99EE4	04D29248EE3A13A074518C93A18D6EFC491BF1F298F9B87FC989A6AE4B9FAD7A
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\GMCXXDTK\Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js	ASCII text, with very long lines (64616)	B7273977EDD8908BC3EE76CFCB40C11F	39A6DCE4076557A299A17EA14B7CE9C9C6D35EEA	7D0B46AE9F672462390C00EB25BBFB780B3991E6650D58C4BE803372050C9F4B
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\GMCXXDTK\signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6[1].svg	SVG Scalable Vector Graphics image	4E48046CE74F4B89D45037C90576BFAC	4A41B3B51ED787F7B33294202DA72220C7CD2C32	8E6DB1634F1812D42516778FC890010AA57F3E39914FB4803DF2C38ABBF56D93
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\GOPNT4EG\ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2[1].js	HTML document, Unicode text, UTF-8 text, with very long lines (32359)	C4A2D8A4F477713CF51B6ABE8BB8B42B	82A09AF90939776FAB8AB2CF6ABDC793922A64F2	00F747E1C02B1B5FE4A3B149DD9E83E766AF2DCBA989B0E7D2CDD347E8541D6C
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\GOPNT4EG\WinJS_vcvx4TydCFioSeM4NLxTDw2[1].js	Unicode text, UTF-8 text, with very long lines (32032), with CRLF line terminators	BDCBF1E13C9D0858A849E33834BC530F	5CFEBACFF659D5304E551EE5CB856557DA4209DD	3989FE38739BBA3E3DD9D60C4364D9DCCA55F44A1B1786DE77F97F17CA0EF21B
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\MSIMGSIZ.DAT	data	0392ADA071EB68355BED625D8F9695F3	777253141235B6C6AC92E17E297A1482E82252CC	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\RE0I21MA\Converged_v22057_mG-wAdV--_sq1kXms675SA2[1].css	ASCII text, with very long lines (61112)	986FB001D57EFBFB2AD645E6B3AEF948	A1590F0BC684D395A6179FB915DEECA3A9321D89	DE304CB4D64E769DD16A7B4500603205D2606FE0877DD046460C7B8DF06A31B3
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\RE0I21MA\marching_ants_986f40b5a9dc7d39ef8396797f61b323[1].gif	GIF image data, version 89a, 352 x 3	B540A8E518037192E32C4FE58BF2DBAB	3047C1DB97B86F6981E0AD2F96AF40CDF43511AF	8737D721808655F37B333F08A90185699E7E8B9BDAAA15CDB63C8448B426F95D
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\RE0I21MA\marching_ants_white_8257b0707cbe1d0bd2661b80068676fe[1].gif	GIF image data, version 89a, 352 x 3	166DE53471265253AB3A456DEFE6DA23	17C6DF4D7CCF1FA2C9EFD716FBAE0FC2C71C8D6D	A46201581A7C7C667FD42787CD1E9ADF2F6BF809EFB7596E61A03E8DBA9ADA13
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\INetCache\RE0I21MA\oneDs_f2e0f4a029670f10d892[1].js	ASCII text, with very long lines (65536), with no line terminators	4877EFC88055D60953886EC55B04DE34	2341B026A3E2A3B01AFA1A39D1706840D75E09B3	8405362EB8F09DF13AE244DE155B51B1577274673D9728B6C81CD0278A63C8B0
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J7E7MWJW\login.live[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RLLV1W2J\microsoft.windows[1].xml	ASCII text, with no line terminators	C1DDEA3EF6BBEF3E7060A1A9AD89E4C5	35E3224FCBD3E1AF306F2B6A2C6BBEA9B0867966	B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat	MS Windows registry file, NT/2000 or above	488B5EEC7186AB4F311ADF6D6A6F6351	FEEFD119F0726D36A714CF59FE41E2A36692EAC7	3166FC22C1277651F68B7D272C3FA07E4BD15768BB5E259B107F05432629D795
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1	MS Windows registry file, NT/2000 or above	9BD6518B073A5C1DE6E505DF7C644C3B	E5FA9DE2A5CF8FDD88C25B9F16AD2A20F381C61F	E74A9F299A56434663695F49189A44A05152B50F50B61B77968FFD06EE260E03

Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49711 version: TLS 1.2

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 152.199.21.175 152.199.21.175

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Origin: https://login.live.comReferer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: lgincdnvzeuno.azureedge.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css HTTP/1.1Origin: https://login.live.comReferer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: text/css,/;q=0.1Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: lgincdnvzeuno.azureedge.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q-i7i0Kw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab8c6.svg HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80068676fe.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b323.gif HTTP/1.1Referer: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clientid=S-1-15-2-2226957697-3030467180-2301525-4248967783-2024719031-2325529081-2915787518Accept: image/png,image/svg+xml,image/;q=0.8,/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; MSAppHost/3.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: logincdn.msftauth.netConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: logincdn.msftauth.net

Source: WWAHost.exe, 0000000D.00000003.1974444710.000002402D2BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/2005125-21
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: WWAHost.exe, 0000000D.00000002.2127909312.0000024055CFD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C9000.00000004.00000020.00020000.00000000.sdmp, Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js.13.dr	String found in binary or memory: http://knockoutjs.com/
Source: WWAHost.exe, 0000000D.00000003.1489501355.000002402D230000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2012513223.000002402D710000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2002316240.000002402D1B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/purpose
Source: WWAHost.exe, 0000000D.00000003.1490172665.000002402D112000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://requirejs.org/docs/errors.html#
Source: WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://requirejs.org/docs/errors.html#n
Source: WWAHost.exe, 0000000D.00000002.2027005517.000002403E26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: WWAHost.exe, 0000000D.00000002.2027005517.000002403E26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policytory
Source: WWAHost.exe, 0000000D.00000002.2027005517.000002403E26E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/.dll
Source: WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5BC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.json.org/json2.js
Source: WWAHost.exe, 0000000D.00000002.2127909312.0000024055CFD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0C9000.00000004.00000020.00020000.00000000.sdmp, Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js.13.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.php)
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory-ppe.windowsazure.com/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.windowsazure.cn/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.windowsazure.com/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.activedirectory.windowsazure.us/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/
Source: WWAHost.exe, 0000000D.00000003.1543648028.000002403FA60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2063597888.000002403FA5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/ChangePassword?uaid=b62f4fbb6d6345d6b8e48b4581689b9969adc3c768bd4dc08c19416
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533090323.0000024040B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/ResetPassword.aspx?id=80604&platform=Windows10&client_id=S-1-15-2-222695769
Source: WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/query.aspx?uaid=b62f4fbb6d6345d6b8e48b4581689b99&mkt=EN-GB&lc=2057&id=80604
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A1E000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2052563822.000002403F3D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/username/recover?id=80604&mkt=EN-GB&lc=2057&uaid=b62f4fbb6d6345d6b8e48b4581
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msauth.net
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msauth.net/
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msftauth.net
Source: WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999548030.000002402D096000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdn.msftauth.net/
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/
Source: WWAHost.exe, 0000000D.00000002.2000454561.000002402D113000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/:Thu
Source: WWAHost.exe, 0000000D.00000003.1550101738.000002403F5AC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/https://lgincdnmsftuswe2.azureedge.net/https://acctcdnvzeuno.
Source: WWAHost.exe, 0000000D.00000002.2000454561.000002402D113000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://acctcdnvzeuno.azureedge.net/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buy.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buy.live.com/
Source: WWAHost.exe, 0000000D.00000002.2127909312.0000024055CFD000.00000004.00000020.00020000.00000000.sdmp, Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2[1].js.13.dr	String found in binary or memory: https://github.com/douglascrockford/JSON-js
Source: WWAHost.exe, 0000000D.00000002.2086459255.0000024040FA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.analytics-web-2.min.js
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
Source: WWAHost.exe, 0000000D.00000003.1550101738.000002403F5AC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/:Mon
Source: WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1995695601.0000024029400000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1974444710.000002402D2BD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999861145.000002402D0BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csshttps://lginc
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csshttps://login
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.cssly
Source: WWAHost.exe, 0000000D.00000002.1995695601.0000024029400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csspz
Source: WWAHost.exe, 0000000D.00000003.1543648028.000002403FA60000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2063597888.000002403FA5D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/https://lgincdnmsftuswe2.azureedge.net/b62f4fbb6d6345d6b8e48b458
Source: WWAHost.exe, 0000000D.00000002.2056378952.000002403F5B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/j
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.2186347937.0000024057956000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2186764883.0000024057979000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2186347937.0000024057960000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1926279426.0000024057920000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2187972994.00000240579C2000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2205816020.00000240586F9000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1996597640.0000024029462000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2129808328.0000024055DD6000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1815578119.000002403F9FF000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1702955783.000002403F9F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/-
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//js/cloudDomainJoin.js
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/CDoc.TopLevelNavigation
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2187972994.00000240579C2000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/GetCredentialType.srf?id=80604&platform=Windows10&id=80604&clientid=S-1-15-2-
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/GetSessionState.srf?platform=Windows10&id=80604&clientid=S-1-15-2-2226957697-
Source: WWAHost.exe, 0000000D.00000002.2094734352.000002404519B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/Windows.UI.WebUI.SuspendingEventArgs
Source: WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=b62f4fbb6d6345d6b8e48b4581689b99&mkt=EN-GB&lc=2057
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=b62f4fbb6d6345d6b8e48b4581689b99&mkt=EN-GB&lc=2057ht
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/h
Source: WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/jsDisabled.srf?mkt=EN-GB&lc=2057&uaid=b62f4fbb6d6345d6b8e48b4581689b99
Source: WWAHost.exe, 0000000D.00000002.2187877759.00000240579B1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533090323.0000024040B6B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1985552175.00000238267E3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2094236482.0000024045136000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf%3fplatform%3dWindows10%26id%3d80604%26clientid%3dS-1
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D159000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604&scid=1&mkt=en-GB&Platform=Windows10&clienti
Source: WWAHost.exe, 0000000D.00000003.1533090323.0000024040B6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?platform=Windows10&id=80604&clientid=S-1-
Source: WWAHost.exe, 0000000D.00000003.1543568434.000002403F3D9000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2052563822.000002403F3D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?platform=Windows10&id=80604&clientid=S-1-15-2-222695
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2114441817.00000240558D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/post.srf?mkt=en-GB&platform=Windows10&id=80604&clientid=S-1-15-2-222
Source: WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/t/
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/t;
Source: WWAHost.exe, 0000000D.00000002.2024208970.000002403E166000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline-ppe.com/WebApp/NextGenCredentials/
Source: WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/CloudDomainJoin/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/ConnectAADAccount/ion4.-3&
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/DeviceDisplayName/
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/DeviceSubscription/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/NextGenCredentials/
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/OtaDomainJoin/
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/OtaDomainJoin/https://login.microsoftonline.com/WebApp/Auto
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/OtaDomainJoin/https://login.microsoftonline.com/WebApp/Wind
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/UnifiedEnrollment/
Source: WWAHost.exe, 0000000D.00000002.2024589629.000002403E170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/WebApp/WindowsLogon/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.de/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.de/ost
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.us/ost
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.partner.microsoftonline.cn/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/AutoPilot/A
Source: WWAHost.exe, 0000000D.00000002.2015226443.000002402D810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/CloudDomainJoin/https://login.microsoftonline.com/WebApp/OtaDom
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/ConnectAADAccount/https://login.windows-ppe.net/WebApp/CloudDom
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/DeviceDisplayName/ms-appx-web://microsoft.cloudexperiencehost.t
Source: WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/DeviceSubscription/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/DeviceSubscription/tmlms-appx://microsoft.windows.cloudexperien
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/NextGenCredentials/
Source: WWAHost.exe, 0000000D.00000002.2015226443.000002402D810000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/OtaDomainJoin/
Source: WWAHost.exe, 0000000D.00000002.2014411576.000002402D7B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/OtaDomainJoin/https://login.windows-ppe.net/WebApp/WindowsLogon
Source: WWAHost.exe, 0000000D.00000002.2038749653.000002403EBD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/UnifiedEnrollment/
Source: WWAHost.exe, 0000000D.00000002.2024589629.000002403E170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.windows-ppe.net/WebApp/WindowsLogon/
Source: WWAHost.exe, 0000000D.00000002.1999548030.000002402D096000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1490172665.000002402D106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1635219498.000002403DC6C000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msauth.net/
Source: WWAHost.exe, 0000000D.00000002.2059475704.000002403F7F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msauth.net/https://logincdn.msftauth.net/Windows.Storage.ApplicationData
Source: WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1975817843.0000024040AEC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040A33000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1635219498.000002403DC6C000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069952912.00000240404AE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/
Source: WWAHost.exe, 0000000D.00000002.2076288143.0000024040A1E000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000.30405.9/agreements/privacy/en-gb/privacy.txt?x=16.000.30405.9
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000.30405.9/agreements/tou/en-oed/TOU.txt?x=16.000.30405.9
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266C1000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css3
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css3l
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.css8
Source: WWAHost.exe, 0000000D.00000003.1745438737.000002405843F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csshttps://lgincdnvzeu
Source: WWAHost.exe, 0000000D.00000002.1998933578.000002402D049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.csstware
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.cssx
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1533171764.000002404045A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/Converged_v22057_mG-wAdV--_sq1kXms675SA2.cssy
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2056378952.000002403F5CD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2066762633.0000024040243000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2066373568.0000024040220000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2130067460.0000024055DF3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076884579.0000024040AAB000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2076288143.0000024040A00000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2057040675.000002403F5D5000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1997618060.00000240294CB000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999362547.000002402D081000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5CC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_xKLYpPR3cTz1G2q
Source: WWAHost.exe, 0000000D.00000002.2069308477.000002404045B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2063597888.000002403FA5D000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2188106991.00000240579CE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5CC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js
Source: WWAHost.exe, 0000000D.00000002.2077572648.0000024040ACC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/16.000/content/js/WinJS_vcvx4TydCFioSeM4NLxTDw2.js2.css
Source: WWAHost.exe, 0000000D.00000003.1532794863.0000024040B69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/
Source: WWAHost.exe, 0000000D.00000002.2094236482.0000024045121000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2136356977.0000024056020000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1771492777.0000024058438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1
Source: WWAHost.exe, 0000000D.00000002.1997618060.00000240294CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/marching_ants_986f40b5a9dc7d39ef8396797f61b3
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/marching_ants_white_8257b0707cbe1d0bd2661b80
Source: WWAHost.exe, 0000000D.00000002.2094236482.0000024045121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031
Source: WWAHost.exe, 0000000D.00000002.2108189703.0000024045780000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2094236482.0000024045121000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_ea19b2112f4dfd8e90b4505ef7dcb
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_white_b71098d9cfa668f68191671
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/microsoft_logo_white_f024dc0422bf3c64a9cb960
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2160120603.0000024056980000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/picker_account_msa_3b879963b4f70829fd7a25cbc
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2160120603.0000024056980000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1999362547.000002402D081000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/picker_account_msa_7a63b3ce03943629f052226aa
Source: WWAHost.exe, 0000000D.00000002.2205816020.00000240586E6000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1997618060.00000240294CB000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1771492777.0000024058438000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/images/signin-options_3e3f6b73c3f310c31d2c4d131a8ab
Source: WWAHost.exe, 0000000D.00000002.2056378952.000002403F5CD000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2066373568.0000024040220000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1655092917.0000024040870000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1550101738.000002403F5CC000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2078009095.0000024040B1B000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2069041711.0000024040444000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1982224079.00000238266E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js
Source: WWAHost.exe, 0000000D.00000002.2060487548.000002403F853000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js(
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.js8
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.jsh
Source: WWAHost.exe, 0000000D.00000002.2078584237.0000024040B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/Win10HostLogin_PCore_tyc5d-3YkIvD7nbPy0DBHw2.jsx
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2086459255.0000024040FA0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2188106991.00000240579CE000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js3
Source: WWAHost.exe, 0000000D.00000002.1996889839.0000024029490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.jsIvD7nbPy0DBHw2.js-i
Source: WWAHost.exe, 0000000D.00000002.2027929595.000002403E2C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logincdn.msftauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.jss
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems/edit/20742103
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems/edit/20742115
Source: WWAHost.exe, 0000000D.00000003.1489281122.000002402D0C3000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2002316240.000002402D1B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems?id=21748634&_a=edit
Source: WWAHost.exe, 0000000D.00000002.2000833331.000002402D139000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1974444710.000002402D297000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://microsoft.visualstudio.com/OS/_workitems?id=8705838&_a=edit)
Source: WWAHost.exe, 0000000D.00000002.2000669273.000002402D128000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1490172665.000002402D106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mysite.com/Apps/App1
Source: WWAHost.exe, 0000000D.00000002.2000669273.000002402D128000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000003.1490172665.000002402D106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mysite.com/Apps/App2
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oloobe.officeapps.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oloobe.officeapps.live.com/
Source: WWAHost.exe, 0000000D.00000002.2037367102.000002403EB50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live-int.com/windows/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/windows/
Source: WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://password.ccsctp.com/
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwordreset.activedirectory.windowsazure.cn/
Source: WWAHost.exe, 0000000D.00000002.2014639499.000002402D7D0000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://passwordreset.microsoftonline.com/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdx.microsoft-int.com/
Source: WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sdx.microsoft-ppe.com/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live-int.com/
Source: WWAHost.exe, 0000000D.00000002.2023886655.000002403E130000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.2015512711.000002402D830000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000D.00000002.1981792938.0000023826695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/
Source: WWAHost.exe, 0000000D.00000002.2185852902.0000024057934000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup?platform=Windows10&id=80604&clientid=S-1-15-2-2226957697-3030467180-2
Source: WWAHost.exe, 0000000D.00000002.1981077297.0000023826641000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tip.passwordreset.microsoftonline.com/
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/dhpP
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/mmx
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ntp
Source: WWAHost.exe, 0000000D.00000002.1982879120.00000238266E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/spartan/ntpC:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 152.199.21.175:443 -> 192.168.2.16:49711 version: TLS 1.2

Source: classification engine

Classification label: clean2.winJPG@2/16@1/1

Source: C:\Windows\System32\WWAHost.exe

File created: C:\Users\user\AppData\Local\Packages\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RLLV1W2J\microsoft.windows[1].xml

Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe "C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe" -ServerName:App.AppX20qnn98vxw5bhxrjtb1f6rggecb2k15a.mca
Source: unknown	Process created: C:\Windows\System32\WWAHost.exe "C:\Windows\system32\wwahost.exe" -ServerName:App.wwa

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wwaext.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgehtml.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: chakra.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icuuc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icuin.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgemanager.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ninput.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: edgeiso.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wwaapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cloudexperiencehostcommon.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: usermgrproxy.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: webruntimemanager.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: microsoftaccountwamextension.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: microsoftaccountextension.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: aadauthhelper.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.web.http.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: webauthn.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Section loaded: globinputhost.dll	Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240283A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240291B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240292B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402D440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402D480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402D940000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402DA60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DDC0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DF00000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DF60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E440000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E480000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E6D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403E8A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403EAB0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403EBF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403ED60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403EF20000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F020000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F060000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F1B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F2B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F6D0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403FB10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24040860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24040EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2402DB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403DC60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 2403F890000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045200000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24040280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 240402A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24045500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055910000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055A30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055A50000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Memory allocated: 24055A70000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: WWAHost.exe, 0000000D.00000002.1981495973.0000023826673000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXT9-VMWare
Source: WWAHost.exe, 0000000D.00000003.1533171764.00000240404B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\AccountsControlHost.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WWAHost.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior

ID:	1566841
Product:	CloudBasic
Start time:	18:27:07
Start date:	02.12.2024
Sample:	000001 (5).jpg
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8379568464d8a4253eb8623701ad8c04
SHA1:	6b457dadfcc171b39fcb2028b4e51aef8f61322f
SHA256:	326390f2e71521df5d9f2e6f49dcb51ec0119faa146c48fe03a78c55f386913f
Filetype:	JFIF JPEG Bitmap (4007/3) 50.02%

Windows Analysis Report
000001 (5).jpg

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 000001 (5).jpg

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
000001 (5).jpg