Malware Analysis Report

2025-05-28 17:39

Sample ID 240311-1cj6daha26
Target Arrival Notice.xls
SHA256 008653065299f1e96ecd195fe23948cc3976210bc8d58ba0e1456db17270154d
Tags
lokibot collection spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

008653065299f1e96ecd195fe23948cc3976210bc8d58ba0e1456db17270154d

Threat Level: Known bad

The file Arrival Notice.xls was found to be: Known bad.

Malicious Activity Summary

lokibot collection spyware stealer trojan

Lokibot

Blocklisted process makes network request

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Abuses OpenXML format to download file from external location

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Office loads VBA resources, possible macro or embedded object present

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Suspicious use of SetWindowsHookEx

Launches Equation Editor

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 21:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 21:30

Reported

2024-03-11 21:32

Platform

win7-20240221-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.xls"

Signatures

Lokibot

trojan spyware stealer lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Abuses OpenXML format to download file from external location

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\CNN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\CNN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\CNN.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 280 set thread context of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\CNN.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 280 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\CNN.exe
PID 2760 wrote to memory of 280 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\CNN.exe
PID 2760 wrote to memory of 280 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\CNN.exe
PID 2760 wrote to memory of 280 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\CNN.exe
PID 2868 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2868 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2868 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2868 wrote to memory of 3064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 280 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 892 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe
PID 280 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\CNN.exe C:\Users\Admin\AppData\Roaming\CNN.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Roaming\CNN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Roaming\CNN.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.xls"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\CNN.exe

"C:\Users\Admin\AppData\Roaming\CNN.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\CNN.exe

"C:\Users\Admin\AppData\Roaming\CNN.exe"

C:\Users\Admin\AppData\Roaming\CNN.exe

"C:\Users\Admin\AppData\Roaming\CNN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 en0.de udp
US 172.67.163.104:80 en0.de tcp
VN 103.237.87.82:80 103.237.87.82 tcp
US 172.67.163.104:80 en0.de tcp
US 172.67.163.104:80 en0.de tcp
VN 103.237.87.82:80 103.237.87.82 tcp
US 172.67.163.104:80 en0.de tcp
VN 103.237.87.82:80 103.237.87.82 tcp
VN 103.167.88.167:80 103.167.88.167 tcp
US 8.8.8.8:53 sempersim.su udp
US 104.237.252.28:80 sempersim.su tcp
US 104.237.252.28:80 sempersim.su tcp
US 104.237.252.28:80 sempersim.su tcp
US 104.237.252.28:80 sempersim.su tcp
US 104.237.252.28:80 sempersim.su tcp
US 104.237.252.28:80 sempersim.su tcp

Files

memory/2748-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2748-1-0x000000007233D000-0x0000000072348000-memory.dmp

memory/2868-5-0x000000002FB81000-0x000000002FB82000-memory.dmp

memory/2868-7-0x000000007233D000-0x0000000072348000-memory.dmp

memory/2868-9-0x0000000003710000-0x0000000003712000-memory.dmp

memory/2748-10-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

MD5 e512b4d3769fea3e824ec6f1ea6c2213
SHA1 c96bbc9750eebd19ac7683dee7fea3e6ee939ae5
SHA256 50fa34a1075ef9b1b64b4c1a9fd218bce78ee8501fd9d13a1888795ae3be41f3
SHA512 93d997d7daa627511eb316bb5b37e1ed5d877effc5d33d39795ff4cad056a05e34c67b87999162512e62fe2ab174482008aced0937c61982614c16091d5ed4af

C:\Users\Admin\AppData\Local\Temp\{A0E684AA-FE5F-47FC-B074-316FEB1E175A}

MD5 b68817b3c7a63377370999f9f28c704c
SHA1 7ad0e7636270a55421987fbc24e18bb370bb1cb4
SHA256 f3f7253415f1774aafd11276ac978c38962e1a405996ef3cc40e9ec1b308b201
SHA512 1e6aefcbb918e8e3443991cc868459aa34ea1bead9b3755b6e0312b3052fed1cea9ee275acbd96c17d7907a206974edff56343ce5692f4c0ca12b1a681a49dd6

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

MD5 101efba6e7d4bff89ea9bcb820e80f8c
SHA1 60a65e64d531017e74fa75dcdc360ddbd07092a8
SHA256 44ea075161b0d061164d95acbe8a83f47c808b58e9072cb1360328c4c8c72911
SHA512 82f0abe74df9a7f5d86c219c46763eac3dff052870559d6c386fac8c286349f49294c8a5b1a601a72e34f91531a4bed716a08bab69bd7a5340660fabb4079f71

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E71CAF4B-88F9-4DE5-9EC1-59D315A8088B}.FSD

MD5 9be1c750db1771cda4925c210786818c
SHA1 deaefae9fde44e648a1364c896a74cc4b00110c1
SHA256 267089e378ec759f676ea113b14c038ae3eacddf90b655f25dee896e115e40ed
SHA512 6c2d728430d3f111fd850d8b8f1355e0a541d9a5450a3574fe67236bc814c9dcf24824de80a00ae91fb9f9b080146b1666225bc3b842a832451cb25c2d0be212

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNQNAXHS\dnamatchedlovesuccessfullycompletedwithanotherlovertouderstandhowshebelievedonmeand___lovedmealotwithlotoflove[1].doc

MD5 6f915ad0fda4f220768467e5246b1954
SHA1 c3d6c3c80ee8445eda839bc3a3e025198d239985
SHA256 b5d0c3287bff511f44ccdb36cbee7d5a6d9ae3de5cb809a9d378df18ae52865b
SHA512 7489bb6419afc780a27d16c33b3a52d642d3ec809dfc871068cb29df7eda3006c87d0cff1f7d563e0ffd4dd1667f130670746fa15be8b29ad13b1b303f484519

memory/2748-79-0x000000007233D000-0x0000000072348000-memory.dmp

memory/2868-80-0x000000007233D000-0x0000000072348000-memory.dmp

C:\Users\Admin\AppData\Roaming\CNN.exe

MD5 776caeb561e8838e4561862e2c78cee7
SHA1 d691d21e71886d90f660396f056276737a7a50df
SHA256 3b5f508d2c80a9e4b17cd492a18ad4f535b5a24d6cc6efe9551c947ddc79fef9
SHA512 be36533677bd56ea2ba895daa81df663aa868f3ef5f1863014ae8dcd3c76817709a0cf32ea2a05c0c81c18f77a734c707fb5f5f8b47837d564bbec26555b96d4

memory/280-103-0x0000000000320000-0x00000000003AA000-memory.dmp

memory/280-104-0x000000006A8E0000-0x000000006AFCE000-memory.dmp

memory/280-106-0x0000000004D10000-0x0000000004D50000-memory.dmp

memory/280-107-0x0000000000480000-0x0000000000494000-memory.dmp

memory/280-108-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/280-109-0x0000000000730000-0x000000000073E000-memory.dmp

memory/280-110-0x00000000007E0000-0x0000000000842000-memory.dmp

memory/1780-113-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1780-112-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1780-114-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1780-115-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1780-116-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1780-118-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1780-120-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/1780-123-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/280-124-0x000000006A8E0000-0x000000006AFCE000-memory.dmp

memory/1780-128-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1650401615-1019878084-3673944445-1000\0f5007522459c86e95ffcc62f32308f1_43e6e718-24fe-4167-ac4b-2355fb5d6031

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1650401615-1019878084-3673944445-1000\0f5007522459c86e95ffcc62f32308f1_43e6e718-24fe-4167-ac4b-2355fb5d6031

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 9cad87922781d155e02a076abca27292
SHA1 64862796d9330899ba394717ded344cc2bc42508
SHA256 240c910fbde36f4859969b634c9f1a4fefa09f00f62a82b65602278279873cee
SHA512 5d701e9246813bbf3685e0bcba984852ef8650ca4b3ccbf38e43db26f4c219f2e541bfe160577f3ba42301e62bf0244430a4b94949bc75ef13308c1dabe3e02e

memory/2868-188-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2868-189-0x000000007233D000-0x0000000072348000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 21:30

Reported

2024-03-11 21:32

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAuditPrivilege N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 1416 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe
PID 1448 wrote to memory of 1416 N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.xls"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" -Embedding

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 en0.de udp
US 104.21.74.215:80 en0.de tcp
VN 103.237.87.82:80 103.237.87.82 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 215.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 82.87.237.103.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 188.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 162.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 144.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 154.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/3612-1-0x00007FF827AB0000-0x00007FF827AC0000-memory.dmp

memory/3612-0-0x00007FF827AB0000-0x00007FF827AC0000-memory.dmp

memory/3612-2-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-3-0x00007FF827AB0000-0x00007FF827AC0000-memory.dmp

memory/3612-4-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-6-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-5-0x00007FF827AB0000-0x00007FF827AC0000-memory.dmp

memory/3612-8-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-7-0x00007FF827AB0000-0x00007FF827AC0000-memory.dmp

memory/3612-9-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-10-0x00007FF825740000-0x00007FF825750000-memory.dmp

memory/3612-12-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-11-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-13-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-14-0x00007FF825740000-0x00007FF825750000-memory.dmp

memory/3612-15-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-16-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-18-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-17-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-19-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-20-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-22-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-23-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-21-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-31-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-33-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-35-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-36-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-38-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-40-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-41-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-42-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-43-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-44-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-45-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1AC5A584-0DC4-4481-B6C8-922FD3B22F8C

MD5 a5da7b18fa905286d1f0bed9d8bd4797
SHA1 5fe6e8717440d98936b2c0efcae37b56f20af103
SHA256 81cea264d48bba92cc3080a9b7ebd2a1c1ebdf2e4a11dc68522d68d300f455b9
SHA512 fb1916a8b11a6ec58dd8286f9eed8dfe21273ab093a9ee03c45045eab83faa0d34467cf0180ab936e7cfcca3178a0ee6946a7bb4b5533cf23b8047c494f8473d

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 ee0732311aa8ed345d6976698d190c5f
SHA1 7a4ac83e2c2bd0132824512d57ec1925991c98f0
SHA256 008f9e9913c2a924fa18b0b3933be3a6d6e888cf34f0ec562a97ff53215810b2
SHA512 3cd43cdb68d4b567ed2ef5619ddea5d33df4ec3a58e059512a6bec7a98fc9639f9d7c448d773513b9e4a6bcc1e684685ca65c7cd0fb85b0491bd36ce9ff78b27

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 9652c7cf3f8885cc7e767e4a2fb6990d
SHA1 0ade919144e650a3f45c50a988a1884fa5c38d7f
SHA256 28954098f34a5939917579a85b6d5536a5463833538eeb6d703261c937622fc8
SHA512 822acf3ced0284b9e66ebe334fc40d35b0ca303094a2b5737f02423a855c9523d45d0b57e9b047256e16edd8404012aa3f3b0b3ac3d32ea641732ade6a01dd1d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\86GPDKUQ\dnamatchedlovesuccessfullycompletedwithanotherlovertouderstandhowshebelievedonmeand___lovedmealotwithlotoflove[1].doc

MD5 6f915ad0fda4f220768467e5246b1954
SHA1 c3d6c3c80ee8445eda839bc3a3e025198d239985
SHA256 b5d0c3287bff511f44ccdb36cbee7d5a6d9ae3de5cb809a9d378df18ae52865b
SHA512 7489bb6419afc780a27d16c33b3a52d642d3ec809dfc871068cb29df7eda3006c87d0cff1f7d563e0ffd4dd1667f130670746fa15be8b29ad13b1b303f484519

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 c09d8bf3c7f7cf7145bad67a0c87e786
SHA1 b5e567e989c1b16c845b2bc950104754f437d249
SHA256 70f3cf70aa466cdf91ea2af9f7db8bfbcc6955c65a8c9f3ce15be64779fa0edb
SHA512 6b5ab45709dad85b0471a326939c51a938a1a3bf0dfd35bfb53ecbc7d636ed3ef68dc4f7a652eb38c080334367b85dee9a7a1b94c1c9c5bc39e96bab31298aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 cda32353a441f77a76ff702ad8647c12
SHA1 b15909b3dcd5c421292f9e439c5fb73ed5dc3574
SHA256 8c530552f94f817c3928679e8afb95016b2dc25530f150b84a56dbdbf109ec94
SHA512 2e554615ddd544a96e6f3ab62f4c13e8501f94d1fff1141d71959e4ba631f424e7b9b36e61a1aa444d214a28a0aab656a6d9d218ccaddd4edc51260694f0dd80

memory/3612-68-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-69-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/3612-72-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-75-0x00007FF867A30000-0x00007FF867C25000-memory.dmp

memory/1448-76-0x00007FF867A30000-0x00007FF867C25000-memory.dmp