Malware Analysis Report

2024-11-15 07:20

Sample ID 241109-yfn8ds1bqg
Target Cryp_RAT.doc
SHA256 44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f
Tags
lockbit neshta defense_evasion discovery persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f

Threat Level: Known bad

The file Cryp_RAT.doc was found to be: Known bad.

Malicious Activity Summary

lockbit neshta defense_evasion discovery persistence ransomware spyware stealer

Detect Neshta payload

Neshta

Neshta family

Lockbit family

Lockbit

Renames multiple (317) files with added filename extension

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Indicator Removal: File Deletion

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Subvert Trust Controls: Mark-of-the-Web Bypass

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Launches Equation Editor

Enumerates system info in registry

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:43

Reported

2024-11-09 19:48

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lockbit

ransomware lockbit

Lockbit family

lockbit

Neshta

persistence spyware neshta

Neshta family

neshta

Renames multiple (317) files with added filename extension

ransomware

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\TdGeIqAUn.bmp" C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\TdGeIqAUn.bmp" C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\ProgramData\69BB.tmp N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\69BB.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svchost.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.TdGeIqAUn C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.TdGeIqAUn\ = "TdGeIqAUn" C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TdGeIqAUn\DefaultIcon C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TdGeIqAUn C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TdGeIqAUn\DefaultIcon\ = "C:\\ProgramData\\TdGeIqAUn.ico" C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2684 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2684 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2684 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2684 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2636 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 2600 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe
PID 988 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\ProgramData\69BB.tmp
PID 988 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\ProgramData\69BB.tmp
PID 988 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\ProgramData\69BB.tmp
PID 988 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\ProgramData\69BB.tmp
PID 988 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe C:\ProgramData\69BB.tmp
PID 1916 wrote to memory of 2260 N/A C:\ProgramData\69BB.tmp C:\Windows\svchost.com
PID 1916 wrote to memory of 2260 N/A C:\ProgramData\69BB.tmp C:\Windows\svchost.com
PID 1916 wrote to memory of 2260 N/A C:\ProgramData\69BB.tmp C:\Windows\svchost.com
PID 1916 wrote to memory of 2260 N/A C:\ProgramData\69BB.tmp C:\Windows\svchost.com
PID 2260 wrote to memory of 1780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1780 N/A C:\Windows\svchost.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c%tmp%\Client.exe A C

C:\Users\Admin\AppData\Local\Temp\Client.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe A C

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe" A C

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe"

C:\ProgramData\69BB.tmp

"C:\ProgramData\69BB.tmp"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\69BB.tmp >> NUL

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /C DEL /F /Q C:\PROGRA~3\69BB.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x14c

Network

N/A

Files

memory/2084-0-0x000000002F6F1000-0x000000002F6F2000-memory.dmp

memory/2084-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2084-2-0x00000000713CD000-0x00000000713D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9FBEE.wmf

MD5 95bb648d6eb9265eeaf0f889731b1e23
SHA1 631d60a024835f4e53ceb9d0a987ce52fe517df4
SHA256 9639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c
SHA512 184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420

C:\Users\Admin\AppData\Local\Temp\Client.exe

MD5 2b9a1b7a5e13b8672655d0a09ce50217
SHA1 2b62dbb4edbc5460bb42e790ca1a4ba7a4821362
SHA256 f6c559c031b7b16b1edf34b38e74b6bf3a7106ca34881d7f5c63b8e0d7ac3694
SHA512 db34521fbd83a5c9a3671f2ed14854e98c83256a8e16b809d7a165754e5f02c3c6b7dd1f4e994be7e859da5a5a852b5a93d4846cefbc6985d81a56a34a766f52

C:\Users\Admin\AppData\Local\Temp\3582-490\Client.exe

MD5 035a441e07c7d7797cccfc92a988e156
SHA1 7d33fe3c6e43ae0440db5fc51d7d9fe653379902
SHA256 f00b211b5f93e23409e9383930c79990949b3671b1c1e0dc00208bb1c8f1e10d
SHA512 9b10c302581fed3b186ee9ad598ba98597318ae09a538eaedab7bffa0db5d4dea82d1a2ae4e320e210575763073f0e58be9416e8758ab495b02f9a54360a6636

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

memory/2600-28-0x00000000002C0000-0x000000000030C000-memory.dmp

memory/2600-33-0x0000000000210000-0x0000000000222000-memory.dmp

memory/988-35-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-37-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-39-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-52-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-50-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/988-47-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-45-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-41-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-54-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-62-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-59-0x0000000000400000-0x0000000000428000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\KKKKKKKKKKK

MD5 10ccea80be2cade9008a7eb13d0361b2
SHA1 fa7013e37939eb3e50c2f585dbe10c50a5e1fc95
SHA256 8acca1c01ebb498d0243a9ef07bbb7e626d94a31e6748478c182dca6d1f77bb2
SHA512 a19ade88b277dff35fecca1da70e78d97b85cdfc5ecc6717bcb247b0ef1f18bf2460515f8e70fb7e8d583aff407fb3f742cea2b71a88323e2145438fc0f7bf44

memory/2084-100-0x00000000713CD000-0x00000000713D8000-memory.dmp

memory/988-224-0x0000000000400000-0x0000000000428000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\DDDDDDDDDDD

MD5 f4d4f5fade343f1298fa34816d58c4e8
SHA1 280288e9b44c12a8a0e89fe7e3201019c20bea99
SHA256 baf77d46b0b0808b7eea0512d39031c2514f1c44f0051dbd23de82b392fcce1c
SHA512 6b90713c9cdba913d766688a9cbd0c0beb0c865342d64a4f1aaf09468b8cfde6ffb9360c30579c1e7b0274f02d7ff3bb25f3569689f891895e195daa21e1baea

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\TdGeIqAUn.README.txt

MD5 47bf1514a0892e2468125cbf3b32caa9
SHA1 c3c24479ebefd9a0a05b0db879941951a702c77b
SHA256 a0c4eeae47956b19b2667ae5c94a154fc5002a78dea22e028049ece1d7a0c920
SHA512 252d78c25d9d5bd3eece76ce940cfadd6f80a81f59fea34c37495388cba4baccf1982cc2098cba28ee933b1d18cfbaa485b9e0fafa1791edfc5c86dd463329aa

memory/988-254-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~$yp_RAT.rtf

MD5 ca5b0d889e6f9471bb28c71ce0ca6f8a
SHA1 660a2caeae6c9ac26c755e704883ecae1b4d5032
SHA256 194b780fa6ab17eb510a3806b8eb96f66a44a27f583369e42291af19e4e6772d
SHA512 70666ab7bbadf30d7b9164828180c2c0738295553f96c9b4ef204abff453b885acafc41248acc0f47e481f88de1166aa1b03e1da9ca57a7c42ac63bd7e3474f9

memory/988-981-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-979-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-995-0x0000000000400000-0x0000000000428000-memory.dmp

memory/988-998-0x0000000000400000-0x0000000000428000-memory.dmp

\ProgramData\69BB.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

C:\Users\Admin\AppData\Local\Temp\3582-490\DDDDDDDDDD

MD5 fb8b7d00715bfb4bf6818ece19bc5f5b
SHA1 31b16dbdd5e2f39e8c52288dd08d49f4463254a8
SHA256 23f5ae3dfaa5c5b1eda7f6a839d2a3b2a075816b17d51315f99b0024d7884db5
SHA512 4be3401c6adcda96a44669e7891ed5d884c601b121e5c92cb16412944a245dfd7696a374825f8de611a9bcbefc9c81471864754bfe23931aff1b67d571f14801

C:\Windows\svchost.com

MD5 27cc46f9e49226bff7bd9d80ceb6f00b
SHA1 ce38b70cb368a5047c32a63f5c1942e04e1d8d3d
SHA256 91a8a010b76f69ec29934c4d0fa207c54850daa5941aeccea941d46e0525fc27
SHA512 c3a9d7886aa34ef77bffdc55c5aa59eff8eed4367b514606f197590cf63deadf5f1e83b4aaf5d87e668e5e5f710ee0737b7cf64416892fcdfc6430f28b356f65

\Users\Admin\AppData\Local\Temp\ose00000.exe

MD5 9d10f99a6712e28f8acd5641e3a7ea6b
SHA1 835e982347db919a681ba12f3891f62152e50f0d
SHA256 70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA512 2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

memory/2636-1094-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2260-1095-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2260-1099-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2636-1097-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:43

Reported

2024-11-09 19:48

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf" /o ""

Signatures

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{BB0159E8-D17A-40D7-B1F9-7DEE3F612074}\Client.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{BB0159E8-D17A-40D7-B1F9-7DEE3F612074}\Client.exe:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 95.100.195.47:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.169:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 169.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 47.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2820-0-0x00007FFDE90D0000-0x00007FFDE90E0000-memory.dmp

memory/2820-1-0x00007FFE290ED000-0x00007FFE290EE000-memory.dmp

memory/2820-3-0x00007FFDE90D0000-0x00007FFDE90E0000-memory.dmp

memory/2820-2-0x00007FFDE90D0000-0x00007FFDE90E0000-memory.dmp

memory/2820-4-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-5-0x00007FFDE90D0000-0x00007FFDE90E0000-memory.dmp

memory/2820-7-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-9-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-10-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-12-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-11-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-8-0x00007FFDE90D0000-0x00007FFDE90E0000-memory.dmp

memory/2820-6-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-13-0x00007FFDE6E30000-0x00007FFDE6E40000-memory.dmp

memory/2820-14-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-15-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-18-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-17-0x00007FFDE6E30000-0x00007FFDE6E40000-memory.dmp

memory/2820-16-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-19-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\5958D594.wmf

MD5 95bb648d6eb9265eeaf0f889731b1e23
SHA1 631d60a024835f4e53ceb9d0a987ce52fe517df4
SHA256 9639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c
SHA512 184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420

memory/2820-43-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

memory/2820-44-0x00007FFE290ED000-0x00007FFE290EE000-memory.dmp

memory/2820-45-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7cf26e639f1ebe2c1740de28e7d704b6
SHA1 8be4608cdfb854149c52949a08cb9a0a77f36b14
SHA256 e9c91286fe9ad20b36c257d6552b660fe3f17903585c62d69899764c6df1e098
SHA512 b485ceeea0a8a95ae648b9649a7ef6a956c1866f6d0126b8483e27b509379e45f079a55c2ac21c9a24e35c9534d27594612d99c37ddeb3eb068b1b6733e0055b

memory/2820-51-0x00007FFE29050000-0x00007FFE29245000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDED44.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e