bd69eb17ae81e39cdb30bd53cb0fe4b0cbffaa8350c4fc7fe5b2e91e93a8045a

Analysis

Target

bd69eb17ae81e39cdb30bd53cb0fe4b0cbffaa8350c4fc7fe5b2e91e93a8045a(1).doc
Size

132KB
MD5

098a437654cdb48161d6b5f32c6446ae
SHA1

dbcdb66974e7a4d9c47fec70e2e740efbd42fbf5
SHA256

bd69eb17ae81e39cdb30bd53cb0fe4b0cbffaa8350c4fc7fe5b2e91e93a8045a
SHA512

7bc4e33a665a74ee71ffed2ebdbbc54c80ba4a09343a0a0af3878b6b4f44aca1ad1e6ab08cdd70bcf9a74ccec9103f53b926b94a660bb035a3b24334ad76c81e

Score

10^/10

Suspicious use of SetWindowsHookEx 16 IoCs

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1796	1456	regsvr32.exe	23

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	26
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	26
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	26
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	26
PID 1456 wrote to memory of 1796	1456	WINWORD.EXE	26

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1796	regsvr32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1456	WINWORD.EXE

memory/1456-0-0x0000000005C80000-0x0000000005CE5000-memory.dmp

Filesize
404KB

Download