Malware Analysis Report

2025-06-16 06:21

Sample ID 231130-vddr4aec33
Target 5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977doc.unknown
SHA256 5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977

Threat Level: Known bad

The file 5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977doc.unknown was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Launches Equation Editor

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-30 16:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-30 16:52

Reported

2023-11-30 16:56

Platform

win7-20231025-en

Max time kernel

119s

Max time network

161s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977doc.rtf"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Subsystem = "C:\\Program Files (x86)\\AGP Subsystem\\agpss.exe" C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AGP Subsystem\agpss.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
File created C:\Program Files (x86)\AGP Subsystem\agpss.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2712 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2580 wrote to memory of 2712 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2580 wrote to memory of 2712 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2580 wrote to memory of 2712 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 1740 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1740 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1740 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1740 wrote to memory of 336 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2712 wrote to memory of 436 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 436 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 436 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 436 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2712 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Users\Admin\AppData\Roaming\plugman29036.exe
PID 2304 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe
PID 2304 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Roaming\plugman29036.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977doc.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Users\Admin\AppData\Roaming\plugman29036.exe

"C:\Users\Admin\AppData\Roaming\plugman29036.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE8E8.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zang1.almashreaq.top udp
US 104.21.70.74:80 zang1.almashreaq.top tcp
US 8.8.8.8:53 rn72836.sytes.net udp
VN 103.114.106.29:6696 rn72836.sytes.net tcp

Files

memory/1740-0-0x000000002F741000-0x000000002F742000-memory.dmp

memory/1740-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1740-2-0x00000000716AD000-0x00000000716B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2712-14-0x0000000001000000-0x00000000010AA000-memory.dmp

memory/2712-15-0x000000006B7B0000-0x000000006BE9E000-memory.dmp

memory/2712-17-0x0000000004A20000-0x0000000004A60000-memory.dmp

memory/2712-22-0x0000000000500000-0x000000000051A000-memory.dmp

memory/2712-23-0x0000000000520000-0x0000000000528000-memory.dmp

memory/1740-24-0x00000000716AD000-0x00000000716B8000-memory.dmp

memory/2712-25-0x000000006B7B0000-0x000000006BE9E000-memory.dmp

memory/2712-26-0x0000000004A20000-0x0000000004A60000-memory.dmp

memory/2712-27-0x0000000000530000-0x000000000053A000-memory.dmp

memory/2712-29-0x0000000004FC0000-0x0000000005032000-memory.dmp

memory/2304-30-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2304-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2304-35-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2304-37-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2304-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2304-41-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman29036.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2304-44-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2712-46-0x000000006B7B0000-0x000000006BE9E000-memory.dmp

memory/2304-47-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2304-48-0x000000006B7B0000-0x000000006BE9E000-memory.dmp

memory/2304-49-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE8E8.tmp

MD5 87d51fa1cc254273b019f5828ea7194f
SHA1 692dd452d56c655e4f7a044a4c785bd82d3b2a57
SHA256 1d50bc377216f796fafc72544836c5a2b9d6a51d0bc855c6ecf92b270dbc9f8c
SHA512 477c1396421ccfc12d62a8f1c9744b7e9c695d98b12ea02fbd76a1b9760587a7075e24e512c19fdd305c5933e20bcc22e8d9848f7281a1927bea5a62292cada2

C:\Users\Admin\AppData\Local\Temp\tmp10E3.tmp

MD5 8aefdc623880016d77594b1802f74db6
SHA1 17608aaab6106247dec66a472516d023272c9b9b
SHA256 ccd9d374a356e8635fe06015e07c986fb0e6f71099234ddc2935a6cb5e1571ac
SHA512 bde73cc8244dcb054ff68b86df14ae644b0816aac8524e746e9bf0e68406c6d7e8ee6a0c642b11a9b197319b023c43fcbdc5eafe9c32e4011ad8065cea0b1eb5

memory/2304-56-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/2304-57-0x00000000004B0000-0x00000000004CE000-memory.dmp

memory/2304-58-0x0000000000510000-0x000000000051A000-memory.dmp

memory/2304-61-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/2304-62-0x00000000005B0000-0x00000000005CA000-memory.dmp

memory/2304-63-0x0000000000830000-0x000000000083E000-memory.dmp

memory/2304-64-0x0000000000850000-0x0000000000862000-memory.dmp

memory/2304-65-0x0000000000860000-0x000000000086E000-memory.dmp

memory/2304-66-0x0000000000870000-0x000000000087C000-memory.dmp

memory/2304-67-0x0000000000B10000-0x0000000000B24000-memory.dmp

memory/2304-68-0x0000000000B60000-0x0000000000B70000-memory.dmp

memory/2304-69-0x0000000000C20000-0x0000000000C34000-memory.dmp

memory/2304-70-0x0000000000C30000-0x0000000000C3E000-memory.dmp

memory/2304-71-0x0000000004E90000-0x0000000004EBE000-memory.dmp

memory/2304-72-0x0000000000E70000-0x0000000000E84000-memory.dmp

memory/2304-74-0x000000006B7B0000-0x000000006BE9E000-memory.dmp

memory/2304-75-0x0000000004CB0000-0x0000000004CF0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 3ac7b7512ad555b1489869642130c77e
SHA1 17e583c05a912066f32261e8e41232f442b2cb99
SHA256 900c2ae02948b9979dfeba18b199f1cabb7361c43929378d51ac94a3452c5fe6
SHA512 7f0d47d16cf903fca80661d79bfc560c020b0be2eb8b21017c446ef2294af1b7da49a0cefd31a6a9155ada6aa3b3dea592e4bab33fb5f17063dc207fb961af0d

memory/1740-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1740-94-0x00000000716AD000-0x00000000716B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-30 16:52

Reported

2023-11-30 16:55

Platform

win10v2004-20231127-en

Max time kernel

160s

Max time network

161s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977doc.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5cdd0eea11c3a986453ba11e2d2f5dfe8df3d5182c498e9d49b61bb5f1a07977doc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 58.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/3540-0-0x00007FFBFBAB0000-0x00007FFBFBAC0000-memory.dmp

memory/3540-2-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-4-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-3-0x00007FFBFBAB0000-0x00007FFBFBAC0000-memory.dmp

memory/3540-1-0x00007FFBFBAB0000-0x00007FFBFBAC0000-memory.dmp

memory/3540-5-0x00007FFBFBAB0000-0x00007FFBFBAC0000-memory.dmp

memory/3540-6-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-8-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-7-0x00007FFBFBAB0000-0x00007FFBFBAC0000-memory.dmp

memory/3540-9-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-10-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-11-0x00007FFBF92D0000-0x00007FFBF92E0000-memory.dmp

memory/3540-12-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-13-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-14-0x00007FFC3BA30000-0x00007FFC3BC25000-memory.dmp

memory/3540-21-0x00007FFBF92D0000-0x00007FFBF92E0000-memory.dmp