Malware Analysis Report

2024-10-23 22:21

Sample ID 240509-fry8mafb48
Target 1aa76ce00f01882d5cd3d712b8052bc2.rtf
SHA256 9ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029
Tags
formbook ht3d rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ae7ad0d29ba6a855eec28c8dca1b7b43063677139463dc54640d4232489d029

Threat Level: Known bad

The file 1aa76ce00f01882d5cd3d712b8052bc2.rtf was found to be: Known bad.

Malicious Activity Summary

formbook ht3d rat spyware stealer trojan

Formbook

Formbook payload

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 05:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 05:07

Reported

2024-05-09 05:09

Platform

win7-20240221-en

Max time kernel

148s

Max time network

141s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2508 set thread context of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2960 set thread context of 1212 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Windows\Explorer.EXE
PID 1560 set thread context of 1212 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\Explorer.EXE

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A
N/A N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\html.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmstp.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2508 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 2604 wrote to memory of 2508 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 2604 wrote to memory of 2508 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 2604 wrote to memory of 2508 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\html.exe
PID 1888 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1888 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1888 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1888 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2508 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\html.exe C:\Users\Admin\AppData\Roaming\html.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1212 wrote to memory of 1560 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmstp.exe
PID 1560 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1560 wrote to memory of 1852 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1aa76ce00f01882d5cd3d712b8052bc2.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\html.exe

"C:\Users\Admin\AppData\Roaming\html.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\html.exe

"C:\Users\Admin\AppData\Roaming\html.exe"

C:\Users\Admin\AppData\Roaming\html.exe

"C:\Users\Admin\AppData\Roaming\html.exe"

C:\Users\Admin\AppData\Roaming\html.exe

"C:\Users\Admin\AppData\Roaming\html.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\SysWOW64\cmstp.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\html.exe"

Network

Country Destination Domain Proto
US 192.3.179.142:80 192.3.179.142 tcp
US 8.8.8.8:53 www.isboston.net udp
DE 3.64.163.50:80 www.isboston.net tcp
US 8.8.8.8:53 www.nativegarden.net udp
US 13.248.169.48:80 www.nativegarden.net tcp
US 8.8.8.8:53 www.hoodjac.com udp
CA 23.227.38.74:80 www.hoodjac.com tcp
US 8.8.8.8:53 www.weatherproofit.net udp
US 108.186.5.237:80 www.weatherproofit.net tcp
US 8.8.8.8:53 www.blessedunity.com udp
US 8.8.8.8:53 www.ryan-waltz.com udp
US 34.149.87.45:80 www.ryan-waltz.com tcp

Files

memory/1888-0-0x000000002F1A1000-0x000000002F1A2000-memory.dmp

memory/1888-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1888-2-0x000000007109D000-0x00000000710A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\html.exe

MD5 cef1565654989742eaffa2cbc59947eb
SHA1 afef46a08dc6a2e1b3c8a9c6b58627677403f7b5
SHA256 f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
SHA512 53b9b0cf0d8d1c815c269e1f152ee26cda3fe18e277341f753c2d98a134e32a1c4bc6691d99cee68942e497014785087a20b2563005fd7ce4aaac9511ccfcf97

memory/2508-16-0x0000000000050000-0x00000000000FA000-memory.dmp

memory/2508-21-0x0000000000610000-0x000000000062C000-memory.dmp

memory/2508-23-0x0000000000640000-0x000000000064E000-memory.dmp

memory/2508-24-0x00000000007F0000-0x0000000000806000-memory.dmp

memory/2508-25-0x0000000004350000-0x00000000043C6000-memory.dmp

memory/2960-30-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2960-33-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2960-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2960-28-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1212-36-0x0000000000200000-0x0000000000300000-memory.dmp

memory/1560-37-0x0000000000A40000-0x0000000000A58000-memory.dmp

memory/1560-38-0x00000000000D0000-0x00000000000FF000-memory.dmp

memory/1888-41-0x000000007109D000-0x00000000710A8000-memory.dmp

memory/1212-43-0x0000000006B60000-0x0000000006CD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 bcf103ff2239ac0b99573cb11a6fd6b8
SHA1 a742828c23600864364c9b2648e6d71f4726e89e
SHA256 86242c6901f704e60e989be33f063f36363361b2df8e64eb97d7b4b24f61ae07
SHA512 7f3ac09c69cd2a1dd72919e15b8ac896013bbeb7bc04b13747fbd86d7fa033797d8ce1d4b8642bf2007c82743fecab996a60c98170eca78e07fff8697bd927d6

memory/1888-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 05:07

Reported

2024-05-09 05:09

Platform

win10v2004-20240426-en

Max time kernel

136s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1aa76ce00f01882d5cd3d712b8052bc2.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1aa76ce00f01882d5cd3d712b8052bc2.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
BE 2.17.196.160:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
NL 2.18.121.72:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 160.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 72.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3384-0-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-3-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-2-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-4-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-1-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-5-0x00007FFF81F0D000-0x00007FFF81F0E000-memory.dmp

memory/3384-6-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-10-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-9-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-8-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-7-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-15-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-17-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-16-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-14-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-13-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-12-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-11-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-18-0x00007FFF3FBC0000-0x00007FFF3FBD0000-memory.dmp

memory/3384-19-0x00007FFF3FBC0000-0x00007FFF3FBD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD7A20.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/3384-513-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp

memory/3384-537-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-539-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-540-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-538-0x00007FFF41EF0000-0x00007FFF41F00000-memory.dmp

memory/3384-541-0x00007FFF81E70000-0x00007FFF82065000-memory.dmp