Malware Analysis Report

2025-03-15 06:30

Sample ID 240130-hzs3pacdgn
Target product list and specification.xls
SHA256 9fb885a66da2ed08983a46519b97dc55e002913f859dfa1e54917f63e4d7f8f4
Tags
warzonerat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fb885a66da2ed08983a46519b97dc55e002913f859dfa1e54917f63e4d7f8f4

Threat Level: Known bad

The file product list and specification.xls was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer rat

WarzoneRat, AveMaria

Warzone RAT payload

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Abuses OpenXML format to download file from external location

Executes dropped EXE

Drops file in System32 directory

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Launches Equation Editor

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 07:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 07:10

Reported

2024-01-30 07:13

Platform

win7-20231215-en

Max time kernel

149s

Max time network

136s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\product list and specification.xls"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\conhosts.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2128 set thread context of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\conhosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\conhosts.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 604 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\conhosts.exe
PID 604 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\conhosts.exe
PID 604 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\conhosts.exe
PID 604 wrote to memory of 2128 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\conhosts.exe
PID 2760 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2760 wrote to memory of 1104 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2128 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\schtasks.exe
PID 2128 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\schtasks.exe
PID 2128 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\schtasks.exe
PID 2128 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\SysWOW64\schtasks.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2128 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\conhosts.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1912 wrote to memory of 820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1912 wrote to memory of 820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1912 wrote to memory of 820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1912 wrote to memory of 820 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\product list and specification.xls"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\conhosts.exe

"C:\Users\Admin\AppData\Roaming\conhosts.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hYnJcpennYk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hYnJcpennYk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDA4.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 200

Network

Country Destination Domain Proto
CA 198.12.89.27:80 198.12.89.27 tcp
CA 198.12.89.27:80 198.12.89.27 tcp
CA 198.12.89.27:80 198.12.89.27 tcp
CA 198.12.89.27:80 198.12.89.27 tcp

Files

memory/1708-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1708-1-0x00000000723ED000-0x00000000723F8000-memory.dmp

memory/2760-5-0x000000002F061000-0x000000002F062000-memory.dmp

memory/2760-7-0x00000000723ED000-0x00000000723F8000-memory.dmp

memory/2760-9-0x0000000003640000-0x0000000003642000-memory.dmp

memory/1708-10-0x00000000023E0000-0x00000000023E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{1A02E1AB-2CBC-491B-8892-4AB8DE3C4B48}

MD5 eb8fd7f5f61a1adc20899ec5879a0a29
SHA1 77d672c4683a6394e84188db7e5d2bd9174432c8
SHA256 fa2c06397bd5f35ca66706d2aaf260dfdeaeb212087183586d73979cb87a352a
SHA512 0b48b0467633bd8ecda2f680072f17f99afdb703a112f61da08c50cb8c1c1feb77d4669faa1b3c796786ba10be5b6dafe5040f51d399b84cb9c2618ffd6e7ddc

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{87840451-FC79-47F8-BAF8-16EE9C337819}.FSD

MD5 38b6f5a8d234d089c0e36c26e2df4d1e
SHA1 22e602f062ea4778c2c6e7ac061d76e3fc1e37bf
SHA256 8161d7c03989d41f60073b3a457f1f2c84699b692b3e2e8f2eeb6d8f88073b20
SHA512 6a3ff9f7263eaa4010a03fc5a9e956fbe87d990d8b10d8101cdfe88d7f8c57ac01df01a39217f662e007111088982152a4d244b2426215239de57a4f8d070021

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 e6917900dfea2520c97a2bff031fce9c
SHA1 cff8bbb8b64ffecfc781dcedcd203958c720a56d
SHA256 ddba35e229681f45e2cfc4722421ee2d1ce2e42ceca2a20a24c579c137ef7c15
SHA512 7d283068393f8edcfe4ef55b9a002fdf39941a062d5c3c85a107c2c27d3c9b50b586b05acdf6f5e7b6fc584ff02caa1dd7b60f2a7256d19cc4521a42a1258637

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E6CE0603-52BE-4F8F-9116-615284639B54}.FSD

MD5 a8d6e7a4f0b5904d77466b977a3f222c
SHA1 9f0024308ec9602377deee065580f78b66fce1db
SHA256 64ba52d7be1814c0b856efbf75494e1d2cea274db8cd9ed57f9692b769287f56
SHA512 ec92516a0beee04b066f6e5410d97e4f7121b4107491a5bd202404c0e61b26958d24c809c201e05591e4dec6c2c1c65298cf6d254573f4728c54442b0830d76c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1YVWL6AI\hclupdationprocessstartedrecentlytoimprovethequalityofservicetoconfirmentirethingsfineformtheside[1].doc

MD5 e589afe701c8eb046a0aa6b1ab35e9eb
SHA1 182a9f9113be2da618efce9973ef54bae4867fd9
SHA256 c3e56bdc9a5195ea0780f2db3896d40d2e7ad07c5a150849ad1685ea8cd34040
SHA512 f604f2dfa4efa8d6a2729105e2d50c33f233d36a8b8b2678af1e8fecce0be5caf269cb74a7739618ad5cd8e8d350f741e0b4a8a45ce70209320ea7b9f1b056de

C:\Users\Admin\AppData\Roaming\conhosts.exe

MD5 d1ebfffb918cb931ae8e6ef5546b9efa
SHA1 325c8470cce00044d8a2ff9281c2ecc4223ab011
SHA256 82024edb19dae637e9af2940bbbf5e10fc8ad04deece28d610474e993ee3450e
SHA512 13c4d69c4deddc518ed5583d4f42817dad51802df27599524bb53dbdd9a58c1337eae541425c27ed1151f0e0f7ee05797b01ea612fcdc1a047aafd332881f3da

memory/2128-101-0x00000000002C0000-0x0000000000366000-memory.dmp

memory/2128-102-0x000000006A7B0000-0x000000006AE9E000-memory.dmp

memory/2128-105-0x0000000000390000-0x00000000003D0000-memory.dmp

memory/2128-106-0x00000000004D0000-0x00000000004EC000-memory.dmp

memory/1708-107-0x00000000723ED000-0x00000000723F8000-memory.dmp

memory/2760-108-0x00000000723ED000-0x00000000723F8000-memory.dmp

memory/2128-109-0x0000000000500000-0x0000000000514000-memory.dmp

memory/2128-110-0x00000000051B0000-0x000000000521E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBDA4.tmp

MD5 c3cbcd771c71e3ba1ca94057b8552933
SHA1 7f37336c8a53888c82716c9ebf82e484ef0931c7
SHA256 77d97224cd3953c797bc524a9c7f7d1e548c5bd97997f4d6126057ce71c2daaa
SHA512 ffe1ec7b3d3330206b2ad37bd2d4c0ea4b71ab9e2476c8437f96e269004398328f9a664c02557988a62f9f5f520bb9c01268c1d17bd6bbc792eb999922e34aed

memory/1912-118-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1912-119-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1912-120-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1912-121-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1912-123-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2128-122-0x000000006A7B0000-0x000000006AE9E000-memory.dmp

memory/1912-125-0x0000000000400000-0x000000000055E000-memory.dmp

memory/1912-127-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1912-129-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2128-132-0x000000006A7B0000-0x000000006AE9E000-memory.dmp

memory/1912-131-0x0000000000400000-0x000000000055E000-memory.dmp

memory/2076-134-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2076-136-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2076-135-0x0000000064F90000-0x000000006553B000-memory.dmp

memory/2076-133-0x0000000064F90000-0x000000006553B000-memory.dmp

memory/2076-137-0x0000000064F90000-0x000000006553B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 07:10

Reported

2024-01-30 07:13

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

132s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\product list and specification.xls"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\product list and specification.xls"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CA 198.12.89.27:80 198.12.89.27 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 27.89.12.198.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2336-3-0x00007FF7D9450000-0x00007FF7D9460000-memory.dmp

memory/2336-6-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-8-0x00007FF7D6E60000-0x00007FF7D6E70000-memory.dmp

memory/2336-14-0x00007FF7D6E60000-0x00007FF7D6E70000-memory.dmp

memory/2336-16-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-17-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-19-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-20-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-21-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-22-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-23-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-18-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-15-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-13-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-12-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-11-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-10-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-9-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-7-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-5-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/2336-4-0x00007FF7D9450000-0x00007FF7D9460000-memory.dmp

memory/2336-2-0x00007FF7D9450000-0x00007FF7D9460000-memory.dmp

memory/2336-1-0x00007FF7D9450000-0x00007FF7D9460000-memory.dmp

memory/2336-0-0x00007FF7D9450000-0x00007FF7D9460000-memory.dmp

memory/1848-31-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-33-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-35-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-37-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-39-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-42-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-44-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-41-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-40-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\467EF93D-ECF1-4E0B-AE8D-C0BB0A710FCD

MD5 bc97103076b9c98486f27b52b93b3b31
SHA1 209fe2375b33ace7a64bd6471353a5bce3311543
SHA256 6c31e3e58d04ae2b428b35e6dcb82ffb907768267dc86f3d053cd5cd9b00736b
SHA512 acda67f27a6e7b0ba96160563d97d0b977a4f75c4ec3e76f7bea27a8be701cc41fa205b7fc32a2b85ce5b21121126237f8c9640c355f95ddb8bd9babf143981a

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 7fe013a029ee24030eff02cd37fa7510
SHA1 85393ef6095da12d9eaf2d8c8ec2e388630a1db3
SHA256 0a280de7c80a08b75726083f9d483e6e15e443151c1bba44270cd480ac3a2102
SHA512 aa4d7f452f5a55a85759bc5ea83f3f9992d27d79c439d6c31d7b173ef04da42cd8dced426d403ee065ec0b81b0729d499a19af45d5924da0549fbd7f23cc045c

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 26fb6bfa2579822fe19f6f479366c62d
SHA1 2637b4069e1dcc00ded7abf8e7ae05ec897ec269
SHA256 2276bb623ccb75fa0970f90cba900ed2c786ba1367af19a69804cc6c3af7e70a
SHA512 cfce92f4ee6e73977e6fc8fd0da21dd0d60dd37943f7a49fce0947464fc97d16e4a3fdba5fdc527c00de55b5bd98ebcf2c95a95d3c8977336b2a352a8db4eb3a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8D1Z5HG5\hclupdationprocessstartedrecentlytoimprovethequalityofservicetoconfirmentirethingsfineformtheside[1].doc

MD5 e589afe701c8eb046a0aa6b1ab35e9eb
SHA1 182a9f9113be2da618efce9973ef54bae4867fd9
SHA256 c3e56bdc9a5195ea0780f2db3896d40d2e7ad07c5a150849ad1685ea8cd34040
SHA512 f604f2dfa4efa8d6a2729105e2d50c33f233d36a8b8b2678af1e8fecce0be5caf269cb74a7739618ad5cd8e8d350f741e0b4a8a45ce70209320ea7b9f1b056de

memory/2336-68-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp

memory/1848-69-0x00007FF8193D0000-0x00007FF8195C5000-memory.dmp