Malware Analysis Report

2025-01-22 12:21

Sample ID 240625-z5wt7swfkr
Target 92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891
SHA256 92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891
Tags
macro
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891

Threat Level: Likely malicious

The file 92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891 was found to be: Likely malicious.

Malicious Activity Summary

macro

Suspicious Office macro

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 21:18

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 21:18

Reported

2024-06-25 21:19

Platform

win7-20240221-en

Max time kernel

60s

Max time network

61s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891.docm"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7EC70CB1-3338-11EF-8356-E61A8C993A67} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b216c6ab3517a409a88c4d1e5254f8a0000000002000000000010660000000100002000000020e38522e21909de8ed1789d11768ab4d0390350f3b9d5e912f806f0cce36e1e000000000e800000000200002000000017b1b03ff1985a9e3bece69a1fd277065e78aa27bf2dbf8a3abe543e7b4df7c7200000000bd24ef28be67487afe64dcb1616f07c7ab12294b8415139d766076ecbaa71f440000000d151f3da82c660d3aec0e1e40d26cacc65d2c31b2fc39352f228fa08df71a4fa778d4d60d5abc07e01c11fe2ad9ff100858fb7b73824139a6ec20fb95eb78c2b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e04f905645c7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b216c6ab3517a409a88c4d1e5254f8a00000000020000000000106600000001000020000000e4463217a1035aff139877b22f515c2f8157b62f7ff16c4fa1604d9d2a06584c000000000e8000000002000020000000ba922a0c9c4daf51b02f42ca74ba470ed7688ceb8ca6efb302cbd95f242761ca900000004f5e8ccf6e91a25ca3b48abbe68bccfbe78351befce2ab91d3df08c8db49b1ef15adad2afe8f199abe027874b5dfc444632d831d86b1d31702d00a0830a04727249adf6c581fd0319ab265b78b4d2f9f16334b16ca683ad1654180c63b34043e2e3708a2701775e71e6e58936cb59996ae33d4c510407ccd376e41cd9dea631026469646fcfb06b988e0ad4802655019400000002f49a4a4be2df5aacb45b7ae2d666f0f2b870dc1e51d66365244285df69150ae55cf25934da8fcf1549f9254b88cad4756692e451d3c414eae9ec1a1ef41a596 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0843B15B-7C08-47EB-A06E-A87F89CFFBB7} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 1920 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2964 wrote to memory of 1920 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2964 wrote to memory of 1920 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2964 wrote to memory of 1920 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1920 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1920 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2964 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2964 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2964 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2964 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891.docm"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://employeeportal.net-login.com/XMWF3Q1dlRld3anZ3MHRCa3d2NjNlbUdhcFdrZ29oNDNnMWVFYmpQSkJETlN6YUo0SjNmc0RTS3FremVqQUFDRWUxeVhsMWk0cENOOGc2RUt3KzM3bVZJdk9oemtyNXF2ZXczRnJhMHNrZkdpT1pZUkV3NktJUmVNNS83Q0RhemNhdCsyZ3dDdU05ancwb2IwOFdyMUJ5dFdSakU5UU04OW91OUp5SkpGQWZwZlZ4bm1CUHNEVnRwZ2QvckRVNXRCVWJMaC0tNitsS3d4a3lGdnIvUnFZKy0tbEtuUnB5R0tJYnhjdTlPb2twck5hdz09?cid=2089134535

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 employeeportal.net-login.com udp
US 35.153.9.28:443 employeeportal.net-login.com tcp
US 35.153.9.28:443 employeeportal.net-login.com tcp
US 35.153.9.28:443 employeeportal.net-login.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
FR 13.249.8.192:80 ocsp.r2m02.amazontrust.com tcp
FR 13.249.8.192:80 ocsp.r2m02.amazontrust.com tcp
FR 13.249.8.192:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 account.secured-login.net udp
US 34.230.108.107:443 account.secured-login.net tcp
US 34.230.108.107:443 account.secured-login.net tcp
US 34.230.108.107:443 account.secured-login.net tcp
US 8.8.8.8:53 cdn2.hubspot.net udp
US 104.18.91.62:443 cdn2.hubspot.net tcp
US 104.18.91.62:443 cdn2.hubspot.net tcp

Files

memory/2964-0-0x000000002F991000-0x000000002F992000-memory.dmp

memory/2964-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2964-2-0x000000007189D000-0x00000000718A8000-memory.dmp

memory/2964-12-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-17-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-13-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-14-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-15-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-16-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-23-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-33-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-32-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-22-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-21-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-20-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-19-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-18-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-34-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-54-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-70-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-77-0x0000000006450000-0x0000000006550000-memory.dmp

memory/2964-76-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-75-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-71-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-66-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-44-0x0000000000280000-0x0000000000380000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 323ff7ca4261f15a0851a16f1b045a78
SHA1 4688afd66855be7be83b8f9eef838fdaac0a15f5
SHA256 cbcf88c34843b2e4224ebed37168f141ab7c378877ee4e012a46d6c1e438210b
SHA512 c34c37b00c4519bb633536974925c5686a5406891f388c713e2092ecf7ad5ca34f19e2b1b90b3bfd7427b5d80064732954aa7d1356a2dba041f414bde6aa2929

C:\Users\Admin\AppData\Local\Temp\Cab19B8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 183a6cd5f0ba6c1dbc25c6d546c3348c
SHA1 a655bbbe13473e82a9a8eee1911400406ef7f2c5
SHA256 0fbd3fa86fbe6badc43d643cec162c98786b86f7d16d738443de3b9bac72d316
SHA512 3e6caf6c75bf476d1cb64e941864bdc01098d95cdf9b05d1f3547e177f23558fa11df0cfce9428eda1cf0084aeda2c4f0aef525df97ac0051f2ec914678c5436

C:\Users\Admin\AppData\Local\Temp\Tar19CB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bd31876e04acf0e0f5c05ff3f0ef7d6
SHA1 8750aab29f1ec050e43d27947e476ea1afd4ec24
SHA256 432bd726c12ac7e5bcd359fcd3fa54f9e57922be7e6327f637bf902ae88d9348
SHA512 4bf7b20c29f8c91c30d6d2eeb9a4463da89cb8324248d633414f8a1c7ee75b0299330de20e1e7faf2a0492dca93f885a77b2b16c4c99589f260492d24eefca31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1AAB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc6622a81cbbcb1e3c6c99ae997e53e7
SHA1 934f216ec75fe7ebc70273136616df03d071f303
SHA256 a11a266b331f38526a857b51db7076a01cb57035fb1cdcd94aa4b6a10b1fa860
SHA512 27f0d6ff50356c640d58c29c30712307a30215b4dfc75baec425b2d5ab327d9bcbfb6b5ea050846dc5d762f34d681375f3f63f7b750b28f1f7572e9bd6341556

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dea303c9c2f7f43f1127f73c39787dc1
SHA1 247e2e83c52a5ef9e833866af8359e9030491ef2
SHA256 36e86e6e6f536eacc362bce1b250d497b878d849bad85d0cf0ba795af839c4cb
SHA512 4c32ce3740aa4392b3ad84a99769cce5dae7c0a20808a8667989b98338d95452113298fb4b3a4bbefc5f8776f3046d619b0ab1231238609ee649189d0a15ff38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1087f7fd8d9eaa50c20f6ea27411e683
SHA1 8311ee1300bf55e50cf5b16e8f3a776a5ed3ef0a
SHA256 5f67ac1a6ebb84d908f2fbe2327101a30175f60a81fddc473cab86f254af8d98
SHA512 f57a7e25bb876698bfe11fbdbb8772db8cf3778bfd16a6ca4ae187998be914afe0e482610a7f7f114812fe0b94aea56bd2800f0874cb7c1a82f2021276b0fcdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8e73c5cae645a5cbf57be6a813f1c6b
SHA1 93114eb23b890d67e12c027fb3bf9ed0927f5107
SHA256 fc6385d02db6bcddffedc332c2ceb3352957e5e232bcdb39ee068aae9cbbf0d2
SHA512 523a327a43acdc8072119b560d45b469468610faa890760ae313631964ad8d5592794b0850ea3f61077fd4a7ef09b89b6a7143e393d7ef41d14a64b69288ac8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 866ac168b8686a38dfdca0690251a1a1
SHA1 15bbca70053151fa0d0186fed1914ce6c8367c88
SHA256 1a4df2aca106746187841b8694664bdb3c5db958e7783b831839d61be956999f
SHA512 43d6a0680492d5aa70268ddc356176da36c77cf958f5134f9874ed4a6a013dc1caa486644521ddc046b1538939d096289d140de1ad69db0f5f02ccfc88f43231

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 389d68f5748fe685919dd523db842886
SHA1 c3d5f38c4baa04f180af1eb89b08196745de3a87
SHA256 0aa1141c5e1130176149ed0c2b0ebd162284327dc877a953963028a9a681aa53
SHA512 e2ac60532e80915ed932dea1591106d472899d82cef27c6940b072c966fa5fc073357fe3c82f7ca3c97f74806106d02d1c65a313c60721b2031474fd982ddb14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 ad408fbdbb5c15f7a61f21a1ea217d47
SHA1 d4420e0022f79e6bc6fc0251908f9438795ed4dc
SHA256 37f68512d10982ef8f0c02f96edbe05f6f30e45ff654059aa803a7b7e778f1f9
SHA512 b30fbe94cad95153ea3458703d51aed2d4a729a7d438838b3c1167f4ec9c076deb6de8641a20f0bd80057c9683c261bd8ce6c90f5297d77478f8c77af4e5abb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 d023039c61e079b14c5fc250a5c04820
SHA1 af126ebe2de1c4980820d9bb6c818e5b1cf1c468
SHA256 492557e6880894de74e8787c2c5be64288b43d3e0ea9b5b38c0e5626adc1f806
SHA512 9c8dd6fda256ed9dd28482fd7a3c924298aecf2e6aec142e68ef59fde77e5d41bf532d54f040cfd5b8e8c292f58537e56836e5159e615b16d7abdf02f43e874d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 83daeea5a6d9bc827c142c40cf60f026
SHA1 22af6ca3226cedfa08b61fe76c0a706d16405115
SHA256 41564b731b02d593904668d19c96a0a74aa575fdd50ec0c7c32a22c2239cc8d8
SHA512 032342e48cd32ca24e5edfe2038afae3e629499b1ee8a4589d9826d044a14a5ec14337dc743434d84185016377b8166a39d114795ae861d9c5f6163ff318aa2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 9c4b4aed7d46c4328a9652e3505ed6af
SHA1 69cc5d6774360782d131d601fcc06925d308772f
SHA256 2450723e291c8b4dcfa6a716984f0b231a99f46a7ee6dac23332c82132ddbcdd
SHA512 2ee0c7e956a62b043ee6e85ff84024a1506878ee482f2638236c8e206ff633a0c72fce9d488cb9fb8546463bc5920bc16f78b86bc7bac1e8e75fd781f6eccf36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

MD5 9287c20d78c3cb4fc64c476df91c9cdc
SHA1 3130cf95cd8f7c0543e6fd9e0c545de208b4776a
SHA256 9b3330a3292b2ad16b16c7fbfc51ac268e786ca2d2fdfe5a964f7bab90da3374
SHA512 044af0719f35f0fcc6321874b50a60023de615c477ad7e35fa67090d74983040bddaaad569a0d6a303f968585be2396bcc8cc24b699cd7fd15840f3c1b8b2690

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

MD5 579039d0467b35b3dfd716ffc6ab8030
SHA1 e273ba5ebdde7cd20759d75c2d9e3bf116851e38
SHA256 f196abb45924f16ae1ebfea3ee518b23a80f2769e967ba35917c5864063cd5e3
SHA512 089e255e2d57788ca9fea319dc9c4275f316aa3b45a299b7a0930aa3a4f9a2ca2cc7aad51393a58af03eb1d5e8890d86dc22240e783e604ffbe3b1c51ac23497

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_19F0D548711CAEA25F603A68C9924CD1

MD5 daf5dfdbd7c10f33d1677e3b680ca7fd
SHA1 8bb5f159ce10d8a1ebcd284975a3d745f55041be
SHA256 5e4045d672e65f1df051fb67b6585016b58c5948b8486ee571347f2284589775
SHA512 4e6360259c6972261b743e26002356b592e8db1cca3456efc5b2b78615607dd07b763010d3d0f343d7cd6c5d89a63dc477156773cdfcf425f63f5847f245c208

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_19F0D548711CAEA25F603A68C9924CD1

MD5 8ea8907f35914931e898d6db8bad5405
SHA1 1369256d51b15a695203d03de9f208a05ddd36bc
SHA256 9abf810ffa19736211e35e5e99357bb9dd9514e1cb63dc1ba874c82d93480631
SHA512 81a77192648947433b7bbd548c93c48a10f967bfd780a124489d72095823915ed9124f3ed0c993b254541ea7f1c8885ea8f75eeba7f0be65754c9ffe7e9dd5ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c978e54b81844c556dfda8cd4f2b177a
SHA1 e9f70dd905b88d49a01a4bce5c4431e2bc742dcf
SHA256 b914d67d7f27d01dc6a9b19f9e4b8787b4bfd816bd0a4ce507445b0b8005ef5d
SHA512 7d55ca643ffbfe7677ded7d5bfabe7d65930aa18f10cb1b810d43c75c62a1aa9a041bae09438522a50ed2be5b1924a51d8e62e60fa70e81a832530e83dc0d301

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd83bed475407129d5aaba6882bc8a8e
SHA1 7a1bce88986479d23de05f0778465ae0168d9a5e
SHA256 45edf19dfd5fd7baf1959f39fcdf41905c9e48e5c913131ae30236f9e6e8f5e2
SHA512 73e5a783d4c77c799ffb7226c5b76707617250655f16fd5f163311500d437d3380c5ff8e75e659b0bf2b3a731e4660a0e38c23a7f2b8c62925e493f6f5cc0e62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b8250aa775028be13563e7245617516a
SHA1 d69d6913717c34c0400e45b716c9b5bedb173a42
SHA256 d5228cf3987068e60a8c5cd78e10bfa76b41230f74af77871e678ad7b2436b21
SHA512 05e8a0340cb39f22b82ed24402413a8d1d9b20ffdd1dd9fc0959e47f68c137e6c6f8e7c464fa5ff1ef674fca8c68c334bb47ebab75ab18664ee60bbed10e45d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 413f21dcef96bd0be76dcdcf9c950795
SHA1 0277da1a01ad40fe7205e2548b419956969e6708
SHA256 6304b24bdd06678fb32000e061684f04fde25ac1735bd51697b1cdde984de785
SHA512 af325e79e4bb3ffa29e01db3031d6a74990901c4d8c706334f7a93c57b923ea9e0dbbfb3b7a9af74162f32fefc2b8f28fcc519f8ba609160d51f6898ce7089c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 153ff8ec0b28381924591992425575aa
SHA1 fb478ba58f6200b5bede04aa458ce26ffdfa8b75
SHA256 961548577d6689b7865bb3c3a1826df763b223edb628b1f0ae7fbcd8601f125e
SHA512 24b0ede7c24857b22d83e834a419fa96fb1a7c92e6a98fef0c685e0f2d24e31a74cc574cee16f741653de4af6105c42254b32b5f1290957233b53ddbf867474b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23130c276ca9e5530db5bdc97ca4df69
SHA1 4d5c591c7927636e907c92ac0a12d9b4b5932f82
SHA256 107965bec9bbb8fc0f78c8db113484ecc1845e3eaf4b38cba6077c3c3f14f53f
SHA512 d91c3a34b0f73731fe02452f3496fcf7ddaa56012fa2b1ffa9212e670812a26f1ae86bc245ac7a9bae3881104ee68b725d3e9b1ceff54bf6eeaea43995c992eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89700b59bd9f10277ff87aa2d8e2dd96
SHA1 56919de77ad6c263ccf5d22ebc9cf82719ba0648
SHA256 7a4fc076b04ed961d72332fc6801c2cc886ca85a036300aa763f919929f0fdba
SHA512 6ba3d76961772d7212b4983e62ced0ab8065930e9c9a186977a9c7b34ad096c6feebcc3afb306d18ee34e1c3dc589ff81ab674f2a4f36e5bde63cfb1023f69ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ec500f52dae09b27524c73225fae71e
SHA1 c4bc9a6eb4c9c0a942716bdcb8b04b3ed3d9e79b
SHA256 a3f6029bb014075bb1445ad66b726178c0fc71533b7375838feb0de0b6e0606d
SHA512 865b7eedf1b99cec04d107d9270f862569fcfa5aac3455a949006606d3c2dce39f78b121abdc580f26b88dafe7c85fce4d6596212bc64312a211773296ab39e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aca69e6f8f7259be7a84dadcc6995c5e
SHA1 24ec89e37701cf94344b1333ce619930d3565e42
SHA256 b9d8733a88fbb527deb3b18ce6dcbe6c1c7b4d6915283a746dc87c64dc8879bd
SHA512 8588c2e4df4771d653daa7178f0ea47288e2b901fb0bb2ff7b2ed0694533249688d12a26ba69623c28b22dcca92cf1c591a580a5fe603793f86c4a598bb7452f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 160fa6c5ea56bcf25d8275f4072758b7
SHA1 420e7f9929d401a36c6443d5ac7844672a3f50f5
SHA256 c03324e5c166112411bd1538076fff7bac841d0ed30f7b8ebd6d7cea9ac7bfde
SHA512 0a1440d3c1ee05cd7ca1bb5c8b279aa95de6287aa9a6d7a2de720a34ce0f9c5ff926ca73c9ecd023515587a6605c9a365d5c40bcd696b1f097300b9476d39a2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 660a146fc292bf98488ee7501690225b
SHA1 9e5f628cecef393830aca8fb2c47b04614d56fac
SHA256 0ca6efe7c7f3d66acd4d1953b9ee375f987488d20c496983de1c7a1522b841de
SHA512 e0e138e34701734790ef9502c967fbe2d87c2adbcba4b87fbd1d2143207258980f73c6491fb4019a6f9a4e79ad1e303856f79a4f37ef1aacd60e282cee199b3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 371cbc9e0f3744f8f4c762c713afa900
SHA1 f10b987fecb2bc21a41ee8d23606233838b090a8
SHA256 8fb9c49271427f132e8c39c7677e4ac9317b4ebbf6f79f9cd67c6a0abe32cf60
SHA512 5b591ed41cdf01fd3cb05b91f49ec392a0449613051edc3ee0ac50e45faeee3abb25776d5c0c68fe350069cb5454a5aa45db945921cddd052531acdfb0b26af2

memory/2964-991-0x000000007189D000-0x00000000718A8000-memory.dmp

memory/2964-992-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-993-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-994-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2964-995-0x0000000006450000-0x0000000006550000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 21:18

Reported

2024-06-25 21:19

Platform

win10v2004-20240226-en

Max time kernel

61s

Max time network

65s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891.docm" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\92073233ee5c64cca43853633950021459077cf4891a172c629d79f66ec9c891.docm" /o ""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://employeeportal.net-login.com/XMWF3Q1dlRld3anZ3MHRCa3d2NjNlbUdhcFdrZ29oNDNnMWVFYmpQSkJETlN6YUo0SjNmc0RTS3FremVqQUFDRWUxeVhsMWk0cENOOGc2RUt3KzM3bVZJdk9oemtyNXF2ZXczRnJhMHNrZkdpT1pZUkV3NktJUmVNNS83Q0RhemNhdCsyZ3dDdU05ancwb2IwOFdyMUJ5dFdSakU5UU04OW91OUp5SkpGQWZwZlZ4bm1CUHNEVnRwZ2QvckRVNXRCVWJMaC0tNitsS3d4a3lGdnIvUnFZKy0tbEtuUnB5R0tJYnhjdTlPb2twck5hdz09?cid=2089134535

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2596 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4284 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5868 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5040 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5524 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5468 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 employeeportal.net-login.com udp
US 8.8.8.8:53 employeeportal.net-login.com udp
US 8.8.8.8:53 employeeportal.net-login.com udp
US 3.219.89.105:443 employeeportal.net-login.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 3.219.89.105:443 employeeportal.net-login.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 51.140.244.186:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 105.89.219.3.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 2.18.121.10:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 account.secured-login.net udp
US 8.8.8.8:53 account.secured-login.net udp
US 8.8.8.8:53 account.secured-login.net udp
US 8.8.8.8:53 employeeportal.net-login.com udp
US 23.200.189.225:443 www.microsoft.com tcp
US 3.90.127.1:443 employeeportal.net-login.com tcp
US 3.90.127.1:443 employeeportal.net-login.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 10.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 225.189.200.23.in-addr.arpa udp
US 8.8.8.8:53 1.127.90.3.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 cdn2.hubspot.net udp
US 8.8.8.8:53 cdn2.hubspot.net udp
US 104.18.91.62:443 cdn2.hubspot.net udp
US 104.18.91.62:443 cdn2.hubspot.net tcp
US 8.8.8.8:53 62.91.18.104.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp

Files

memory/2112-0-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

memory/2112-1-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

memory/2112-2-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

memory/2112-3-0x00007FFCACE4D000-0x00007FFCACE4E000-memory.dmp

memory/2112-4-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

memory/2112-5-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-7-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-6-0x00007FFC6CE30000-0x00007FFC6CE40000-memory.dmp

memory/2112-8-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-9-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

memory/2112-11-0x00007FFC6A870000-0x00007FFC6A880000-memory.dmp

memory/2112-29-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-37-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-41-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-45-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-48-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-49-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp

memory/2112-50-0x00007FFCACDB0000-0x00007FFCACFA5000-memory.dmp