Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Payroll_4_16_2024-7089599578.eml

HTML document, ASCII text, with CRLF line terminators

initial sample

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

data

dropped

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

SQLite Write-Ahead Log, version 3007000

modified

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{0E56D892-A260-454C-A426-1144F4B817BD}.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713298793374557000_93A548AA-A6F0-4FB5-9E89-1EF0C0448A7A.log

ASCII text, with very long lines (828), with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713298793375308300_93A548AA-A6F0-4FB5-9E89-1EF0C0448A7A.log

data

dropped

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240416T2219530139-1316.etl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

data

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Apr 16 19:20:04 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Microsoft Outlook email folder (>=2003)

dropped

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

OpenPGP Public Key Version 2

dropped

Chrome Cache Entry: 100

ASCII text, with very long lines (7818), with no line terminators

downloaded

Chrome Cache Entry: 101

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 223759

downloaded

Chrome Cache Entry: 102

PNG image data, 17 x 25, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 103

MS Windows icon resource - 4 icons, 64x64, 32 bits/pixel, 32x32, 32 bits/pixel

downloaded

Chrome Cache Entry: 104

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513

dropped

Chrome Cache Entry: 105

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113657

downloaded

Chrome Cache Entry: 106

MS Windows icon resource - 4 icons, 64x64, 32 bits/pixel, 32x32, 32 bits/pixel

dropped

Chrome Cache Entry: 108

GIF image data, version 89a, 22 x 22

dropped

Chrome Cache Entry: 109

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 55071

downloaded

Chrome Cache Entry: 110

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 111

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

downloaded

Chrome Cache Entry: 112

GIF image data, version 89a, 352 x 3

downloaded

Chrome Cache Entry: 113

HTML document, ASCII text, with very long lines (1238)

downloaded

Chrome Cache Entry: 114

PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 115

HTML document, Unicode text, UTF-8 text, with very long lines (965), with CRLF, LF line terminators

dropped

Chrome Cache Entry: 116

ASCII text, with very long lines (65447)

downloaded

Chrome Cache Entry: 117

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 118

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513

downloaded

Chrome Cache Entry: 119

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864

downloaded

Chrome Cache Entry: 120

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 141320

downloaded

Chrome Cache Entry: 121

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592

dropped

Chrome Cache Entry: 122

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651

downloaded

Chrome Cache Entry: 123

GIF image data, version 89a, 24 x 24

dropped

Chrome Cache Entry: 124

GIF image data, version 89a, 352 x 3

dropped

Chrome Cache Entry: 125

PNG image data, 89 x 18, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 126

PNG image data, 89 x 18, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 127

GIF image data, version 89a, 352 x 3

dropped

Chrome Cache Entry: 128

GIF image data, version 89a, 352 x 3

downloaded

Chrome Cache Entry: 129

PNG image data, 17 x 25, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 130

GIF image data, version 89a, 24 x 24

downloaded

Chrome Cache Entry: 131

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 132

HTML document, Unicode text, UTF-8 text, with very long lines (965), with CRLF, LF line terminators

downloaded

Chrome Cache Entry: 133

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 26667

downloaded

Chrome Cache Entry: 134

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 135

PNG image data, 338 x 72, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 136

PNG image data, 16 x 25, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 137

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

downloaded

Chrome Cache Entry: 138

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864

dropped

Chrome Cache Entry: 139

MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors

dropped

Chrome Cache Entry: 140

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 141

MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors

downloaded

Chrome Cache Entry: 91

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1592

downloaded

Chrome Cache Entry: 92

HTML document, ASCII text, with very long lines (2405), with CRLF line terminators

downloaded

Chrome Cache Entry: 93

PNG image data, 60 x 60, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 94

PNG image data, 338 x 72, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 95

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651

dropped

Chrome Cache Entry: 96

GIF image data, version 89a, 22 x 22

downloaded

Chrome Cache Entry: 97

PNG image data, 16 x 25, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 98

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 444227

downloaded

Chrome Cache Entry: 99

gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 113084

downloaded

There are 57 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Payroll_4_16_2024-7089599578.eml"

Details

Is windows:	true
Is dropped:	false
PID:	1316
Target ID:	0
Parent PID:	4380
Name:	OUTLOOK.EXE
Class:	outlook
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\Payroll_4_16_2024-7089599578.eml"
Size:	34446744
MD5:	91A5292942864110ED734005B7E005C0
Time:	22:19:53
Date:	16/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7c0000
Modulesize:	34492416
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Office Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "29FA1706-6DDD-4A40-9B9A-9AFF34DD3E8E" "2739FCB0-1198-4E44-B0DA-0244533EBEC8" "1316" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Details

Is windows:	true
Is dropped:	false
PID:	6344
Target ID:	2
Parent PID:	1316
Name:	ai.exe
Class:	office
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "29FA1706-6DDD-4A40-9B9A-9AFF34DD3E8E" "2739FCB0-1198-4E44-B0DA-0244533EBEC8" "1316" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Size:	710048
MD5:	EC652BEDD90E089D9406AFED89A8A8BD
Time:	22:19:54
Date:	16/04/2024
Reason:	newprocess
Reputation:	moderate
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6e3520000
Modulesize:	737280
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://u2355257.ct.sendgrid.net/ls/click?upn=u001.4YkCuNYTF3S1epm9KijHzHFfZe6RGn3F0umQQjG6fIb5h6U0n3Lap6J1hKqXi7Fiss-2Fnjz-2BcFRXpypvRmmfgWt5YdT-2FEMvobeWiYkA7qtLRfI7gD-2Bf1h-2BjR2-2Bq4mixrNfKnw_Pa360ofsYnvNl-2B4fSoWN13-2FPnURinMO3MvXMeuc-2FoKD-2BkGAt5cRtROnqB6rn9MJAoc3OLl5AyOxyqbH38sEF938DnlEUTyDpBgvZHcImoEN-2F2kcruJg13LIPoC-2BKR-2Fg2foOgIG1WVb-2FVtBKRP2a5dEd4Ya7pYid-2FndWTL8Pm-2FC2C4TZRdZkqbj86QWuQw-2FxOcWVAOF-2FeForOJOJHpzFuRA-3D-3D

Details

Is windows:	true
Is dropped:	false
PID:	400
Target ID:	4
Parent PID:	1316
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://u2355257.ct.sendgrid.net/ls/click?upn=u001.4YkCuNYTF3S1epm9KijHzHFfZe6RGn3F0umQQjG6fIb5h6U0n3Lap6J1hKqXi7Fiss-2Fnjz-2BcFRXpypvRmmfgWt5YdT-2FEMvobeWiYkA7qtLRfI7gD-2Bf1h-2BjR2-2Bq4mixrNfKnw_Pa360ofsYnvNl-2B4fSoWN13-2FPnURinMO3MvXMeuc-2FoKD-2BkGAt5cRtROnqB6rn9MJAoc3OLl5AyOxyqbH38sEF938DnlEUTyDpBgvZHcImoEN-2F2kcruJg13LIPoC-2BKR-2Fg2foOgIG1WVb-2FVtBKRP2a5dEd4Ya7pYid-2FndWTL8Pm-2FC2C4TZRdZkqbj86QWuQw-2FxOcWVAOF-2FeForOJOJHpzFuRA-3D-3D
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	22:20:01
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f9810000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	6492
Target ID:	5
Parent PID:	400
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	45DE480806D1B5D462A7DDE4DCEFC4E4
Time:	22:20:01
Date:	16/04/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7f9810000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/?ru=https%3a%2f%2flogin.cklglhcewevsqdgaemswijeahkgbsv.cfd%2fcommon%2freprocess%3fctx%3drQQIARAA42Kw0skoKSkottLXL8gvKknM0cvNTC7KL85PK8nPy8nMS9VLzs_Vyy9Kz0wBsYqEuATWs7CdPrTpnWdj4T5h2R8bLFcxKhM2Qv8CI-MLRsZbTIL-RemeKeHFbqkpqUWJJZn5eRdYBF6x8BgwW3FwcAkwSDAoMPxgYVzECrRJ7Y2lb8HXLJdl9yfr_gnhYDjFqh8Qleiem-Ni6JPt5eftneVR6OtrVGSkXRpQkB_uoR2UYmQUUp6WHlFlVpJta25lOIFNaAIb0yk2hg9sjB3sDLPYGQ5wMh7gZfjBt-H4jJcrT01_5_GKX8exIDg1Iisn3yskyifH0zzb1cfT27vS1yPZMSfHpMAjtMTE0TLcPzPCtcLXdoMAAwA1&mkt=en-US&hosted=0&device_platform=Windows+10&username=eprifti%40stonhard.com

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com&sso_reload=true

https://portal.cklglhcewevsqdgaemswijeahkgbsv.cfd/Prefetch/Prefetch.aspx

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js

104.21.64.172

https://u2355257.ct.se=

unknown

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/ScriptResource.axd?d=WGugwSdCfSbHBT4gJhsbOoIJ8pnCmJexcChiwBnPyj8Uvq_zemO7UbGidWPrgnsiw1cFKYWr8YXIto_iIQeik-mkoQKPA5OxznsDTR1NcfD8o4iEWV_g8KrQ-pmCgqxx2TWXbm5d0BvEi9W2o9ZO3FLuMPajNTKX1D64S_99dtSOBFfriR3uUoRhr_ca0XUO43tRYLr1nNwuQF-1ZHfy8QeLz-b_EIc8o6KRn8q_3x01&t=74258c30

104.21.64.172

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/Me.htm?v=3

172.67.187.49

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/Default.aspx/GetBrandingInfo

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/favicon.ico?v=1342177280

104.21.64.172

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/cdn-cgi/challenge-platform/scripts/jsd/main.js

172.67.187.49

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/css/Style.css?v=1342177280

104.21.64.172

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd

unknown

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/cdn-cgi/challenge-platform/h/b/jsd/r/8756dfb46a5c6736

172.67.187.49

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/WebResource.axd?d=GHM95i9wZWpluj8Ln0FPv9fpK68eX7eoXS-Uy2Ovs7ACZOCNluIPjqvRGwcoj9YpJpYLzmEF9gMKjvyOI3LibUGPMFE3ZcqQDwRTIfQCwey5TmpKxfRe2KkpJjr4E7W0x9lfCkhTRpe1LeybGxXHYg2&t=638478749639812753

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/images/header_microsoft.png

104.21.64.172

https://login.windows-ppe.net

unknown

https://a.nel.cloudflare.com/report/v4?s=sYwc8tChFAIPtsuiYJm7YxeKtSfu4r1SW3lBpza8lK5Vlg1WCrLaEIGFVtaLVGMn4%2BjYOMBQzzafabkKmW7KK%2Bc67gzEOlRVYq%2FB9uGoYsjGiBpbrU6Z4Dr93GhOhP0tk9XtTeMwIh9sPpLyhI0lX%2F2pvWjyneoXBAd5

35.190.80.1

about:blank

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/images/hip_reload.png

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/js/Common.js

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/Default.aspx?ru=https%3A%2F%2Flogin.cklglhcewevsqdgaemswijeahkgbsv.cfd%2Fcommon%2Freprocess%3Fctx%3DrQQIARAA42Kw0skoKSkottLXL8gvKknM0cvNTC7KL85PK8nPy8nMS9VLzs_Vyy9Kz0wBsYqEuATWs7CdPrTpnWdj4T5h2R8bLFcxKhM2Qv8CI-MLRsZbTIL-RemeKeHFbqkpqUWJJZn5eRdYBF6x8BgwW3FwcAkwSDAoMPxgYVzECrRJ7Y2lb8HXLJdl9yfr_gnhYDjFqh8Qleiem-Ni6JPt5eftneVR6OtrVGSkXRpQkB_uoR2UYmQUUp6WHlFlVpJta25lOIFNaAIb0yk2hg9sjB3sDLPYGQ5wMh7gZfjBt-H4jJcrT01_5_GKX8exIDg1Iisn3yskyifH0zzb1cfT27vS1yPZMSfHpMAjtMTE0TLcPzPCtcLXdoMAAwA1&mkt=en-US&hosted=0&device_platform=Windows%2010&username=eprifti%40stonhard.com

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/cdn-cgi/challenge-platform/h/b/jsd/r/8756dfcefb2753e8

172.67.187.49

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/images/hip_text.gif

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/css/ltrStyle.css?v=1342177280

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/js/Webtrends.js

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/ScriptResource.axd?d=JYFfKhzzgyiP-QEGFR-IZFaWyVYG5sO6DT28BFbjujLCERs7KcCpmI-HD38Ox-KAt6PHeeYpy59wZ8OnsueZOhuNGgV22xjVsgZxTSi9hQW8noQDHSpbae5tNzrA-XYX6pvhllSiB5ZKBnoSVvnYZ-9dcMk2bSJcFqLkTV52YEjxoRgbkSH3PQ1cDB-OiUOM_DecFxK6YHST0-gBG6ViWQ2&t=ffffffffa8ad04d3

104.21.64.172

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/cdn-cgi/challenge-platform/h/b/scripts/jsd/bcc5fb0a8815/main.js

172.67.187.49

https://u2355257.ct.sendgrid.net/ls/click?upn=u001.4YkCuNYTF3S1epm9KijHzHFfZe6RGn3F0umQQjG6fIb5h6U0n

unknown

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/favicon.ico

172.67.187.49

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/images/wait_animation.gif

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/images/hip_speaker.png

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/js/Button.js?v=1342177280

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/WebResource.axd?d=n9YJYQapnswuIKsxDS4ywsPVv_yEhxx3lIL4ME74VSwD8iVwQTdF1YC7V6V2lbrXD0cziMEH0BlCXD8NfkddP8PQ8kVsDRg-A67yh9Jrvy7iDRdyEBqO-i-xW8jYAmtvhLpGr2K4hSjizAvWCdt5YQ2&t=638478749639812753

104.21.64.172

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/ScriptResource.axd?d=PlVFm3n07D-8oHu5djVLv1UuqRMnvk9CzVw0Y0qzzdsYRQpwSQ6VwYHaMaMvGG4Wyf9gcItkmYlDmJl6RQ3aacoeHOkMpm8ni388BZ0tSZMyaneykUckmQUb_uk6vyrRu0zyesmgZV8gF9JQCG4TUMp4vamG1vJ1zagQEVmDC3pfZQMExZ9476KsxRt9nCu2JRU9DI3OvZCYhBFnCZeaG1eA3KgVg0NbpK-Fed_1TbQ1&t=74258c30

104.21.64.172

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/common/GetCredentialType?mkt=en-US

172.67.187.49

https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/images/footer_logo_grey_bg.png

104.21.64.172

https://u2355257.ct.sendgrid.net/wf/open?upn=3Du001.u=

unknown

https://example.com/

93.184.216.34

https://account.live.com/resetpassword.aspx

unknown

There are 30 hidden URLs, click here to show them.

Domains

Name

Malicious

part-0013.t-0009.t-msedge.net

13.107.213.41

a.nel.cloudflare.com

35.190.80.1

portal.cklglhcewevsqdgaemswijeahkgbsv.cfd

172.67.187.49

www.google.com

142.250.9.105

u2355257.ct.sendgrid.net

167.89.115.54

aadcdn.cklglhcewevsqdgaemswijeahkgbsv.cfd

172.67.187.49

passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd

104.21.64.172

example.com

93.184.216.34

172.67.187.49

identity.nel.measure.office.net

unknown

ajax.aspnetcdn.com

unknown

There are 1 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

142.250.9.105

www.google.com

United States

93.184.216.34

example.com

European Union

104.21.64.172

passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd

United States

192.168.2.16

unknown

167.89.115.54

u2355257.ct.sendgrid.net

United States

239.255.255.250

unknown

Reserved

13.107.213.41

part-0013.t-0009.t-msedge.net

United States

172.67.187.49

portal.cklglhcewevsqdgaemswijeahkgbsv.cfd

United States

35.190.80.1

a.nel.cloudflare.com

United States

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

ProfileBeingOpened

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics

OutlookBootFlag

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

">+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

SessionId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

ProfileBeingOpened

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1f\417C44EB

@%SystemRoot%\system32\mlang.dll,-4612

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\1f\417C44EB

@%SystemRoot%\system32\mlang.dll,-4608

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards

PageSize

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings

Template

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options

WMACUpdated

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options

DefaultKerningLigatures

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

BootDiagnosticsLogFile

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData

CantBootResolution

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

i$+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

i$+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

y$+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

x$+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

(%+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

7%+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

7%+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

7%+

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems

7%+

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Volatile

MsaDevice

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

000b046b

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet

UseRWHlinkNavigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet

UseRWOSHlinkNavigation

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar

WorkDay

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9207f3e0a3b11019908b08002b2a56c2

11023d05

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents

LastPurgeTime

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Logging

NULL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage

OutlookMAPI2

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage

OutlookMAPI2Intl_1033

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046

00030429

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\Forms Registry

CacheSyncCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\ColleagueImport.ColleagueImportAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

ColleagueImport.ColleagueImportAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Display Types\Balloons

HWND64ForOrphanedNotIcon

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OneNote.OutlookAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-CH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

en-GB

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OneNote.OutlookAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\OscAddin.Connect

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

OscAddin.Connect

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UCAddin.LyncAddin.1

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UCAddin.LyncAddin.1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\AddinsData\UmOutlookAddin.FormRegionAddin

LoadCount

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AddInLoadTimes

UmOutlookAddin.FormRegionAddin

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\1316

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\UserInfo

CountQuickSteps

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

{ED475418-B0D6-11D2-8C3B-00104B2A6676}

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage

SpellingAndGrammarFiles_1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage

SpellingAndGrammarFiles_1036

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage

SpellingAndGrammarFiles_3082

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018000DDDFEBB86

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676

LastChangeVer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Search\Catalog

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

There are 97 hidden registries, click here to show them.

DOM / HTML

URL

Malicious

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com

Details

Filename:	1.1.pages.html.dom
Url:	https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com
Target ID:	5
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish54	Phishing

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com&sso_reload=true

Details

Filename:	2.3.pages.html.dom
Url:	https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com&sso_reload=true
Target ID:	5
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish54	Phishing

https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com&sso_reload=true

Details

Filename:	2.5.pages.html.dom
Url:	https://login.cklglhcewevsqdgaemswijeahkgbsv.cfd/?9UWK56or=ghartman@stonhard.com&sso_reload=true
Target ID:	5
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish54	Phishing

about:blank

https://portal.cklglhcewevsqdgaemswijeahkgbsv.cfd/Prefetch/Prefetch.aspx

Details

Filename:	4.6.pages.html.dom
Url:	https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/?ru=https%3a%2f%2flogin.cklglhcewevsqdgaemswijeahkgbsv.cfd%2fcommon%2freprocess%3fctx%3drQQIARAA42Kw0skoKSkottLXL8gvKknM0cvNTC7KL85PK8nPy8nMS9VLzs_Vyy9Kz0wBsYqEuATWs7CdPrTpnWdj4T5h2R8bLFcxKhM2Qv8CI-MLRsZbTIL-RemeKeHFbqkpqUWJJZn5eRdYBF6x8BgwW3FwcAkwSDAoMPxgYVzECrRJ7Y2lb8HXLJdl9yfr_gnhYDjFqh8Qleiem-Ni6JPt5eftneVR6OtrVGSkXRpQkB_uoR2UYmQUUp6WHlFlVpJta25lOIFNaAIb0yk2hg9sjB3sDLPYGQ5wMh7gZfjBt-H4jJcrT01_5_GKX8exIDg1Iisn3yskyifH0zzb1cfT27vS1yPZMSfHpMAjtMTE0TLcPzPCtcLXdoMAAwA1&mkt=en-US&hosted=0&device_platform=Windows+10&username=eprifti%40stonhard.com
Target ID:	5
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Filename:	5.7.pages.html.dom
Url:	https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/Default.aspx?ru=https%3A%2F%2Flogin.cklglhcewevsqdgaemswijeahkgbsv.cfd%2Fcommon%2Freprocess%3Fctx%3DrQQIARAA42Kw0skoKSkottLXL8gvKknM0cvNTC7KL85PK8nPy8nMS9VLzs_Vyy9Kz0wBsYqEuATWs7CdPrTpnWdj4T5h2R8bLFcxKhM2Qv8CI-MLRsZbTIL-RemeKeHFbqkpqUWJJZn5eRdYBF6x8BgwW3FwcAkwSDAoMPxgYVzECrRJ7Y2lb8HXLJdl9yfr_gnhYDjFqh8Qleiem-Ni6JPt5eftneVR6OtrVGSkXRpQkB_uoR2UYmQUUp6WHlFlVpJta25lOIFNaAIb0yk2hg9sjB3sDLPYGQ5wMh7gZfjBt-H4jJcrT01_5_GKX8exIDg1Iisn3yskyifH0zzb1cfT27vS1yPZMSfHpMAjtMTE0TLcPzPCtcLXdoMAAwA1&mkt=en-US&hosted=0&device_platform=Windows%2010&username=eprifti%40stonhard.com
Target ID:	5
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Filename:	5.8.pages.html.dom
Url:	https://passwordreset.cklglhcewevsqdgaemswijeahkgbsv.cfd/Default.aspx?ru=https%3A%2F%2Flogin.cklglhcewevsqdgaemswijeahkgbsv.cfd%2Fcommon%2Freprocess%3Fctx%3DrQQIARAA42Kw0skoKSkottLXL8gvKknM0cvNTC7KL85PK8nPy8nMS9VLzs_Vyy9Kz0wBsYqEuATWs7CdPrTpnWdj4T5h2R8bLFcxKhM2Qv8CI-MLRsZbTIL-RemeKeHFbqkpqUWJJZn5eRdYBF6x8BgwW3FwcAkwSDAoMPxgYVzECrRJ7Y2lb8HXLJdl9yfr_gnhYDjFqh8Qleiem-Ni6JPt5eftneVR6OtrVGSkXRpQkB_uoR2UYmQUUp6WHlFlVpJta25lOIFNaAIb0yk2hg9sjB3sDLPYGQ5wMh7gZfjBt-H4jJcrT01_5_GKX8exIDg1Iisn3yskyifH0zzb1cfT27vS1yPZMSfHpMAjtMTE0TLcPzPCtcLXdoMAAwA1&mkt=en-US&hosted=0&device_platform=Windows%2010&username=eprifti%40stonhard.com
Target ID:	5
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1880,i,2120994647311975423,14967312562802856223,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
Payroll_4_16_2024-7089599578.eml

Files

Processes

URLs

Domains

IPs

Registry

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportPayroll_4_16_2024-7089599578.eml

Files

Processes

URLs

Domains

IPs

Registry

DOM / HTML

IOC Report
Payroll_4_16_2024-7089599578.eml