Malware Analysis Report

2025-06-16 06:21

Sample ID 231129-rpy1magh28
Target plugmanzx.doc
SHA256 5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977

Threat Level: Known bad

The file plugmanzx.doc was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-29 14:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-29 14:22

Reported

2023-11-29 14:25

Platform

win7-20231023-en

Max time kernel

117s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\plugmanzx.rtf"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2612 set thread context of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2704 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2704 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2704 wrote to memory of 2612 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2612 wrote to memory of 328 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 328 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 952 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 328 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2968 wrote to memory of 2416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2968 wrote to memory of 2416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2968 wrote to memory of 2416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2968 wrote to memory of 2416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\plugmanzx.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCF31.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD06A.tmp"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 zang1.almashreaq.top udp
US 104.21.70.74:80 zang1.almashreaq.top tcp
US 8.8.8.8:53 rn72836.sytes.net udp
VN 103.114.106.29:6696 rn72836.sytes.net tcp

Files

memory/2968-0-0x000000002F881000-0x000000002F882000-memory.dmp

memory/2968-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2968-2-0x0000000070D2D000-0x0000000070D38000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2612-15-0x00000000011C0000-0x000000000126A000-memory.dmp

memory/2612-16-0x000000006AEE0000-0x000000006B5CE000-memory.dmp

memory/2612-17-0x0000000004900000-0x0000000004940000-memory.dmp

memory/2612-22-0x0000000000940000-0x000000000095A000-memory.dmp

memory/2612-23-0x0000000000A40000-0x0000000000A48000-memory.dmp

memory/2612-24-0x00000000009A0000-0x00000000009AA000-memory.dmp

memory/2612-25-0x0000000004C20000-0x0000000004C92000-memory.dmp

memory/328-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/328-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/328-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/328-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/328-32-0x0000000000400000-0x0000000000438000-memory.dmp

memory/328-29-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/328-35-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2612-37-0x000000006AEE0000-0x000000006B5CE000-memory.dmp

memory/328-38-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2968-39-0x0000000070D2D000-0x0000000070D38000-memory.dmp

memory/328-40-0x000000006A630000-0x000000006AD1E000-memory.dmp

memory/328-41-0x0000000004D10000-0x0000000004D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCF31.tmp

MD5 87d51fa1cc254273b019f5828ea7194f
SHA1 692dd452d56c655e4f7a044a4c785bd82d3b2a57
SHA256 1d50bc377216f796fafc72544836c5a2b9d6a51d0bc855c6ecf92b270dbc9f8c
SHA512 477c1396421ccfc12d62a8f1c9744b7e9c695d98b12ea02fbd76a1b9760587a7075e24e512c19fdd305c5933e20bcc22e8d9848f7281a1927bea5a62292cada2

C:\Users\Admin\AppData\Local\Temp\tmpD06A.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/328-49-0x00000000009F0000-0x00000000009FA000-memory.dmp

memory/328-50-0x0000000000AF0000-0x0000000000B0E000-memory.dmp

memory/328-51-0x0000000000A00000-0x0000000000A0A000-memory.dmp

memory/328-55-0x0000000000B50000-0x0000000000B62000-memory.dmp

memory/328-56-0x0000000000D30000-0x0000000000D4A000-memory.dmp

memory/328-57-0x0000000000C20000-0x0000000000C2E000-memory.dmp

memory/328-58-0x00000000011B0000-0x00000000011C2000-memory.dmp

memory/328-59-0x0000000004770000-0x000000000477E000-memory.dmp

memory/328-60-0x00000000047C0000-0x00000000047CC000-memory.dmp

memory/328-61-0x0000000004CD0000-0x0000000004CE4000-memory.dmp

memory/328-62-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/328-63-0x0000000004CF0000-0x0000000004D04000-memory.dmp

memory/328-64-0x0000000004D00000-0x0000000004D0E000-memory.dmp

memory/328-65-0x0000000005040000-0x000000000506E000-memory.dmp

memory/328-66-0x0000000004EA0000-0x0000000004EB4000-memory.dmp

memory/328-72-0x000000006A630000-0x000000006AD1E000-memory.dmp

memory/328-73-0x0000000004D10000-0x0000000004D50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 e426a13089076f0ff397af4736b05889
SHA1 a4703a238f9c0768321a76b8deb0b2f5885fed00
SHA256 23e0f594a4a471e11fc9a16bcba920078c95307db515f60e95e85b4b1d1a4836
SHA512 7b0af2e430c6263328538c5a096da0bc2ab60588069b3ac07b41df7d920109019adce3ff70aa73c7ccd44397e17f5a495d4297a4d820bf353b85f09566673e39

memory/2968-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2968-92-0x0000000070D2D000-0x0000000070D38000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-29 14:22

Reported

2023-11-29 14:25

Platform

win10v2004-20231127-en

Max time kernel

136s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\plugmanzx.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\plugmanzx.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/872-0-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-1-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-2-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-4-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-3-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-5-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-6-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-7-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-8-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-9-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-10-0x00007FFF4FAF0000-0x00007FFF4FB00000-memory.dmp

memory/872-11-0x00007FFF4FAF0000-0x00007FFF4FB00000-memory.dmp

memory/872-21-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-44-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-45-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-46-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-47-0x00007FFF51B50000-0x00007FFF51B60000-memory.dmp

memory/872-48-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-49-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-50-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp

memory/872-51-0x00007FFF91AD0000-0x00007FFF91CC5000-memory.dmp