Malware Analysis Report

2024-10-23 22:16

Sample ID 240509-exhbmadb55
Target 87930142ba02cbbfe0b77ab3beb3d1bc.rtf
SHA256 3445d16ad6e5de9939611d9bc5f3169581c3bd1166ad228506d6be70ac1eacbd
Tags
formbook ht3d execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3445d16ad6e5de9939611d9bc5f3169581c3bd1166ad228506d6be70ac1eacbd

Threat Level: Known bad

The file 87930142ba02cbbfe0b77ab3beb3d1bc.rtf was found to be: Known bad.

Malicious Activity Summary

formbook ht3d execution rat spyware stealer trojan

Formbook

Formbook payload

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: MapViewOfSection

Launches Equation Editor

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 04:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 04:19

Reported

2024-05-09 04:22

Platform

win7-20240508-en

Max time kernel

146s

Max time network

136s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2824 set thread context of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 1808 set thread context of 1224 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\Explorer.EXE
PID 1808 set thread context of 1224 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\Explorer.EXE
PID 772 set thread context of 1224 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\Explorer.EXE

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
N/A N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hjcl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\NAPSTAT.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2168 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2168 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2168 wrote to memory of 2824 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 1688 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1688 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1688 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1688 wrote to memory of 1936 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2824 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2824 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 308 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Windows\SysWOW64\schtasks.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 2824 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\hjcl.exe C:\Users\Admin\AppData\Roaming\hjcl.exe
PID 1224 wrote to memory of 772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1224 wrote to memory of 772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1224 wrote to memory of 772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 1224 wrote to memory of 772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
PID 772 wrote to memory of 1080 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1080 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1080 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe
PID 772 wrote to memory of 1080 N/A C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87930142ba02cbbfe0b77ab3beb3d1bc.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\hjcl.exe

"C:\Users\Admin\AppData\Roaming\hjcl.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zNukUlepyAI.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zNukUlepyAI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp670D.tmp"

C:\Users\Admin\AppData\Roaming\hjcl.exe

"C:\Users\Admin\AppData\Roaming\hjcl.exe"

C:\Windows\SysWOW64\NAPSTAT.EXE

"C:\Windows\SysWOW64\NAPSTAT.EXE"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\hjcl.exe"

Network

Country Destination Domain Proto
US 192.3.179.142:80 192.3.179.142 tcp
US 8.8.8.8:53 www.data-list.online udp
DE 3.64.163.50:80 www.data-list.online tcp
US 8.8.8.8:53 www.sigmadriving.com udp
BE 34.140.68.98:80 www.sigmadriving.com tcp
US 8.8.8.8:53 www.isboston.net udp
DE 3.64.163.50:80 www.isboston.net tcp
US 8.8.8.8:53 www.freediveexperience.com udp
DE 91.195.240.123:80 www.freediveexperience.com tcp
US 8.8.8.8:53 www.testingsol.com udp

Files

memory/1688-0-0x000000002F9D1000-0x000000002F9D2000-memory.dmp

memory/1688-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1688-2-0x00000000712DD000-0x00000000712E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\hjcl.exe

MD5 f49a18388f070afc8f7a17f6053666ba
SHA1 d1062e2c38badf9aac1a2c2d0bf4ea7f3e07341b
SHA256 3b746894d0a71f6162d96d2af36bea8d794d7e23af44c5536fcf97d416510a6e
SHA512 6557e22c3e5542262cb8d9ae6c1a79a17f8ce2b9666dfab3ea2df5acd8c23bda607358569b75454cb49a3d36448c08a1a671923f27c13b2473d5925842a7cd34

memory/2824-19-0x0000000000C20000-0x0000000000CDA000-memory.dmp

memory/2824-24-0x00000000008C0000-0x00000000008DE000-memory.dmp

memory/2824-26-0x0000000000980000-0x0000000000990000-memory.dmp

memory/2824-27-0x00000000009E0000-0x00000000009F6000-memory.dmp

memory/2824-28-0x0000000007410000-0x0000000007486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp670D.tmp

MD5 16ace24a938a4575f4c608361972d70f
SHA1 3de37ee295f3b699411649720c9ce1f1e5c759d7
SHA256 199476fe9149b9f6ecd7ba21dcecc41dc1d3178884404c834a7a1359450343f1
SHA512 395e6b6238a0d82ab8c49f524ff37c98487a833a174b59bbf6023e6fbbc2be1b1e24b7ad093bd6481a6e8b85548533434314e564d5bd68a491070997c8d13185

memory/1808-34-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1808-39-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1808-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1808-36-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1224-44-0x0000000000340000-0x0000000000440000-memory.dmp

memory/1808-45-0x0000000000400000-0x000000000042F000-memory.dmp

memory/772-46-0x00000000000A0000-0x00000000000E6000-memory.dmp

memory/1688-47-0x00000000712DD000-0x00000000712E8000-memory.dmp

memory/772-48-0x0000000000130000-0x000000000015F000-memory.dmp

memory/1224-51-0x0000000004C70000-0x0000000004D69000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 6bf82377d75055da5a563f3738a9de19
SHA1 36b2b543d2cdad611963150cf27c05ab9b825931
SHA256 d6b3ce7bd5f2902f4dc41e4b116f1b2668b5142729af59b5a732b9d70ee99fdb
SHA512 219229de0f9470c413f37d4455786a6049ed3c5e8f6b12559cab699e58b65f0b46f77bcb6a6a1b06a4d08d0acfe34a6de31f57803609508f0e102f98e8ebe2ef

memory/1688-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 04:19

Reported

2024-05-09 04:22

Platform

win10v2004-20240508-en

Max time kernel

114s

Max time network

128s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87930142ba02cbbfe0b77ab3beb3d1bc.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\87930142ba02cbbfe0b77ab3beb3d1bc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 2.17.196.160:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 160.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2584-0-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-2-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-1-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-4-0x00007FFC0EE2D000-0x00007FFC0EE2E000-memory.dmp

memory/2584-3-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-5-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-6-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-7-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-8-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-9-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-10-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-12-0x00007FFBCC510000-0x00007FFBCC520000-memory.dmp

memory/2584-11-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-13-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-15-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-14-0x00007FFBCC510000-0x00007FFBCC520000-memory.dmp

memory/2584-16-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-17-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-19-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-23-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-22-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-21-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-20-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-18-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD9AF6.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/2584-501-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp

memory/2584-532-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-533-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-535-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-534-0x00007FFBCEE10000-0x00007FFBCEE20000-memory.dmp

memory/2584-536-0x00007FFC0ED90000-0x00007FFC0EF85000-memory.dmp