Analysis Overview
SHA256
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53
Threat Level: Likely malicious
The file 28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53 was found to be: Likely malicious.
Malicious Activity Summary
Suspicious Office macro
Deletes itself
Drops file in Windows directory
Office loads VBA resources, possible macro or embedded object present
Modifies registry class
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
NTFS ADS
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 10:03
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 10:03
Reported
2024-04-10 10:06
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\FLAGS\ = "6" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\FLAGS | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\ = "Microsoft Forms 2.0 Object Library" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 2444 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2916 wrote to memory of 2444 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2916 wrote to memory of 2444 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2916 wrote to memory of 2444 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Network
| Country | Destination | Domain | Proto |
| GB | 51.38.87.253:25255 | tcp |
Files
memory/2916-0-0x000000002F781000-0x000000002F782000-memory.dmp
memory/2916-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2916-2-0x0000000070E3D000-0x0000000070E48000-memory.dmp
memory/2916-7-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-8-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-9-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-11-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-10-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-12-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-6-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-13-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-15-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-17-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-16-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-18-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-20-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-19-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-14-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-21-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-23-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-24-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-25-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-26-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-28-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-27-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-29-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-32-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-31-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-34-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-35-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-36-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-33-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-30-0x00000000004C0000-0x00000000005C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
| MD5 | 0bd3d6e8d36b42cd0d772b5b1cc6dd15 |
| SHA1 | 0be5826ccdf3ff4ff92dea7586332ea6f50228e6 |
| SHA256 | 18c1d4f2781f98a0ae9131dedee10accff8061732056a319e89a629d19517be1 |
| SHA512 | 931bbcfe66f89a49261c9590cf641739e809d5c430fc1daa5fd29b99c0daba154e0ea47d9d28c2282cd9f42492dde77339f4461bd79edb8dc03b8b024133724c |
memory/2916-47-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-49-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-50-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-52-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-53-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-54-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-51-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2784-56-0x000000002F781000-0x000000002F782000-memory.dmp
memory/2784-58-0x0000000070E3D000-0x0000000070E48000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl
| MD5 | 0daab2b91315a8859daee807fb1d0a8d |
| SHA1 | 116cb5aac03402a3babbb443cb173c99b6f04525 |
| SHA256 | c992eec5f5c6905b3d269347333af7b0940e0b1e0fc0d414b82e3e7317b070c6 |
| SHA512 | 0fc9b891940533f2c9f49294e13a47fe5785ed1a889aa0f3afddf8471216304a8d2d6699d536a867cc2861e274aca2a4450e3f94138901bd344efb9f7bdea332 |
memory/2916-65-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-67-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-66-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-69-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-70-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-71-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2916-68-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2784-72-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-73-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-74-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-76-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-75-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2916-77-0x0000000070E3D000-0x0000000070E48000-memory.dmp
memory/2784-79-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2916-80-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2784-82-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-84-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-83-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-85-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-86-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-87-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-88-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-89-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-90-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-91-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-92-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-94-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-93-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-96-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-99-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-100-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2784-101-0x0000000070E3D000-0x0000000070E48000-memory.dmp
memory/2916-103-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/2784-113-0x0000000000550000-0x0000000000650000-memory.dmp
memory/2916-114-0x00000000004C0000-0x00000000005C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
| MD5 | 2613e069bd1a26cd5d0c51b8bda2d65a |
| SHA1 | e2bc0cd8d6aac818d5f7f2c1b64dd261104b4acf |
| SHA256 | c4f0afb2912b889570837d8f030b2887f31426dd7f1034d4329d91ccbf591a7a |
| SHA512 | 059bd0a45c1b76c1781dfbd7c458aadd8d7ee37639885137f499e3d777852d4c6b4814012acd614853220356b9ef30a52b7c1e5ae58d754d3d1289e4e7f102d2 |
memory/2784-153-0x0000000070E3D000-0x0000000070E48000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2916-162-0x00000000004C0000-0x00000000005C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | b04fd3884038b13390e7a065db5af8e8 |
| SHA1 | 77766abc66b4466c2bbbf7c95ffce8e88888cb2a |
| SHA256 | dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650 |
| SHA512 | a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4 |
memory/2916-185-0x0000000070E3D000-0x0000000070E48000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 10:03
Reported
2024-04-10 10:06
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
161s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm" /o ""
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.229.138.52.in-addr.arpa | udp |
| GB | 51.38.87.253:25255 | tcp | |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/2164-0-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/2164-1-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/2164-3-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-2-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/2164-4-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-6-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-8-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-7-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/2164-5-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/2164-9-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-10-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-11-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/2164-12-0x00007FFD6E330000-0x00007FFD6E340000-memory.dmp
memory/2164-14-0x00007FFD6E330000-0x00007FFD6E340000-memory.dmp
memory/2164-31-0x000001D7B6540000-0x000001D7B6D40000-memory.dmp
memory/2164-32-0x000001D7BB440000-0x000001D7BB640000-memory.dmp
memory/2164-49-0x000001D7B6540000-0x000001D7B6D40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp
| MD5 | ac81cbbcb0f1e5ca602cba1d13cfd416 |
| SHA1 | dae6d33ca3b01d0d4787c8e513e207d411ef42e5 |
| SHA256 | 229b48ee8efa98af767867906f110277377a20a66eb96665a93c1824c5598665 |
| SHA512 | 558a4eafec389a630989bf77a71e60cc91aae85fb32e48e65dd96146692c07d3569a40cc6cfdd6dbfa42470e2f121f1682e69550c0253130804e9ec13a23296e |
memory/3580-107-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-110-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-109-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-112-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-113-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-114-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-115-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-117-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-120-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-119-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\FE9FE847-3008-4B31-B664-1A70C07CFE30
| MD5 | 742370f43fcf98686a47f1d160255f21 |
| SHA1 | afe949a56a84c7bd5ae01d7714f2cf0de502d2f0 |
| SHA256 | ae4923530867ae306b0aa21adaa699d11c0fe25124af59b80510cdb5dc7e2428 |
| SHA512 | a0931adf0637f84e1f08faf43ec80a9ef94ff2aa04b11d233635eb4aa970f9b5d8b923ceb5571dc654b3c627edc5936e29175bdcb7f7940ee62e2f6598cd7b65 |
memory/3580-121-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-123-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-124-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-125-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-126-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
| MD5 | 959b5536b62a6d233d9184c65aaaef20 |
| SHA1 | ffe02154ac428e21a7f4a9aae73d48967eb5ceb4 |
| SHA256 | e372e8fe093bded4179616ea05a2cee100bd4507af05481bad5f69a04a417036 |
| SHA512 | 421dadf2a3fb428e2ade20bbcb8f46248efec0ffa5691b649c2e9f0aea519071ada5322b7632e6a843be3b90d9d4211d26b1b9f76a1d6709926c4ac78bf52b9f |
memory/3580-127-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
| MD5 | 1859eefac12e0ce2906a2b0cd0fc8d25 |
| SHA1 | 002274b3ac1f39a5c754d39316bcfeee82afe09b |
| SHA256 | de04fbea7c764872c954ff952f569b76ba2c51da8e774021ad90b09e2a8b265b |
| SHA512 | e7519f6420aa312dcd84d4dc3ed435af5356cf2440c470f8d7b67fe8eb923453ff6d7a8852aead5acedf89760c0ff7bc16f058c580f414e84871f25447587a6e |
memory/2164-153-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-156-0x0000021E8F820000-0x0000021E90020000-memory.dmp
memory/2164-161-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-167-0x0000021E8F820000-0x0000021E90020000-memory.dmp
memory/2164-182-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-183-0x0000021E8F820000-0x0000021E90020000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
| MD5 | dc59c5e4ac360b0225ee1794cbf3341f |
| SHA1 | 19fc644139bc803fe89c0c0c2a51331bf59f919c |
| SHA256 | 4f85ce44f8d62c27f70a121e081d24902a730d9de6eb6a050003d48041b9e33c |
| SHA512 | 01c957c6c1d7def1771cdb0a9020f24c2d27321926d77a083c92fe25aab8a59f0cd66139f5137a9470f1e0f3327f8792d5bf554aa70fe41b08ddc86c2e61ed89 |
memory/2164-187-0x000001D7B6540000-0x000001D7B6D40000-memory.dmp
memory/2164-188-0x000001D7BB440000-0x000001D7BB640000-memory.dmp
memory/2164-192-0x000001D7B6540000-0x000001D7B6D40000-memory.dmp
memory/3580-193-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-194-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-195-0x0000021E8F820000-0x0000021E90020000-memory.dmp
memory/3580-198-0x0000021E8F820000-0x0000021E90020000-memory.dmp
memory/3580-207-0x0000021E8F820000-0x0000021E90020000-memory.dmp
memory/3580-260-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/3580-261-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/3580-262-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/3580-263-0x00007FFD708B0000-0x00007FFD708C0000-memory.dmp
memory/3580-264-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-265-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-266-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
memory/3580-267-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
| MD5 | e4e83f8123e9740b8aa3c3dfa77c1c04 |
| SHA1 | 5281eae96efde7b0e16a1d977f005f0d3bd7aad0 |
| SHA256 | 6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31 |
| SHA512 | bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9 |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
| MD5 | c56ff60fbd601e84edd5a0ff1010d584 |
| SHA1 | 342abb130dabeacde1d8ced806d67a3aef00a749 |
| SHA256 | 200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c |
| SHA512 | acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
| MD5 | 6ca4960355e4951c72aa5f6364e459d5 |
| SHA1 | 2fd90b4ec32804dff7a41b6e63c8b0a40b592113 |
| SHA256 | 88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3 |
| SHA512 | 8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d |
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
| MD5 | f1b59332b953b3c99b3c95a44249c0d2 |
| SHA1 | 1b16a2ca32bf8481e18ff8b7365229b598908991 |
| SHA256 | 138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c |
| SHA512 | 3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4 |
memory/2164-299-0x00007FFDB0830000-0x00007FFDB0A25000-memory.dmp