Analysis Overview
SHA256
5f0798cdb628b90fa0507427cfad23ac606c781d630526e15c20e0150a9ece04
Threat Level: Known bad
The file 5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Process spawned unexpected child process
CrypVault
Pony,Fareit
Modifies boot configuration data using bcdedit
Deletes shadow copies
Executes dropped EXE
UPX packed file
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Accesses Microsoft Outlook accounts
Checks installed software on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry
Modifies registry class
Interacts with shadow copies
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-24 14:38
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-24 14:38
Reported
2022-06-24 14:40
Platform
win10v2004-20220414-en
Max time kernel
102s
Max time network
145s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 400 set thread context of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
"C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32" 0150CEAF8E32.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 3319E07358
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
"C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\3319E07358" 3319E07358.doc
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3319E07358.doc" /o ""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E323319E07358
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dinom.spb.ru | udp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| US | 52.168.117.170:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/4780-130-0x0000000000400000-0x000000000041D000-memory.dmp
memory/5104-131-0x0000000000000000-mapping.dmp
memory/4936-132-0x0000000000000000-mapping.dmp
memory/5112-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/4504-135-0x0000000000000000-mapping.dmp
memory/400-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/2116-138-0x0000000000000000-mapping.dmp
memory/384-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3319E07358
| MD5 | 3d495e763086f50096365b14d0037cb0 |
| SHA1 | bf29341e57e15abf6d3433ebbaf7c3ecda33fa71 |
| SHA256 | bfe141ce37886121d25e706cc9217d8311e104016162eb23509d178f43fc2a46 |
| SHA512 | e896016bfbd30fa00ed3ea89062c51a6d490d54c543930d3b655c3270a5240a64c50ad0a42649f8e1621a429d6274f7c9e88aa168ba0178722acb669352da267 |
memory/1608-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/1608-142-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1720-143-0x0000000000000000-mapping.dmp
memory/1608-148-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1124-147-0x0000000000000000-mapping.dmp
memory/1608-149-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/400-146-0x0000000000590000-0x0000000000595000-memory.dmp
memory/1608-150-0x0000000000F80000-0x0000000000F8F000-memory.dmp
memory/1608-153-0x0000000000400000-0x000000000041A000-memory.dmp
memory/4780-152-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1720-157-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-158-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-156-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-155-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-154-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/4484-159-0x0000000000000000-mapping.dmp
memory/1720-160-0x00007FFA63940000-0x00007FFA63950000-memory.dmp
memory/208-161-0x0000000000000000-mapping.dmp
memory/1720-163-0x00007FFA63940000-0x00007FFA63950000-memory.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | b71751d104ed8f256ae64a7d02821be0 |
| SHA1 | bc3e6ac19bf1431a5872597684b2982b8ba07d87 |
| SHA256 | 6a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004 |
| SHA512 | b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf |
memory/1296-164-0x0000000000000000-mapping.dmp
memory/4272-165-0x0000000000000000-mapping.dmp
memory/4064-166-0x0000000000000000-mapping.dmp
memory/1608-167-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1720-169-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-170-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-171-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
memory/1720-172-0x00007FFA65B10000-0x00007FFA65B20000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-24 14:38
Reported
2022-06-24 14:40
Platform
win7-20220414-en
Max time kernel
100s
Max time network
46s
Command Line
Signatures
CrypVault
Pony,Fareit
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
suricata: ET MALWARE Fareit/Pony Downloader Checkin 2
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 892 set thread context of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe
"C:\Users\Admin\AppData\Local\Temp\5F0798CDB628B90FA0507427CFAD23AC606C781D63052.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 3319E07358
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32" 0150CEAF8E32.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
"C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\3319E07358" 3319E07358.doc
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E32
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3319E07358.doc"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo 0150CEAF8E323319E07358
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dinom.spb.ru | udp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
| RU | 193.164.150.217:80 | dinom.spb.ru | tcp |
Files
memory/1732-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
memory/1988-55-0x0000000000000000-mapping.dmp
memory/1276-56-0x0000000000000000-mapping.dmp
memory/888-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/1692-59-0x0000000000000000-mapping.dmp
memory/1732-60-0x0000000000400000-0x000000000041D000-memory.dmp
\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/892-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/1888-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3319E07358
| MD5 | 3d495e763086f50096365b14d0037cb0 |
| SHA1 | bf29341e57e15abf6d3433ebbaf7c3ecda33fa71 |
| SHA256 | bfe141ce37886121d25e706cc9217d8311e104016162eb23509d178f43fc2a46 |
| SHA512 | e896016bfbd30fa00ed3ea89062c51a6d490d54c543930d3b655c3270a5240a64c50ad0a42649f8e1621a429d6274f7c9e88aa168ba0178722acb669352da267 |
memory/1868-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/1568-70-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1568-71-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-72-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-74-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-75-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-77-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-78-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-79-0x0000000000418A40-mapping.dmp
memory/892-81-0x00000000001E0000-0x00000000001E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0150CEAF8E32.exe
| MD5 | d1f6d486c4afb6aca38ee45ed8ae4e3c |
| SHA1 | 3343a6203db587c257252d5b493ea16d5ac93e13 |
| SHA256 | d7430680c994bc488209aa05c2e72de9ffe5d858111404a2ffb7715bae4f0758 |
| SHA512 | 634e77f6dc9ff159742cabb90d9c3ce62c5f392b96f2cb01b93d86989369e374e9a473327ece255fc784348e9c3ac710a9e18192b686fc3b264793470d36208d |
memory/1568-83-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-84-0x0000000000400000-0x000000000041A000-memory.dmp
memory/1568-85-0x0000000000400000-0x0000000000E28000-memory.dmp
memory/1568-87-0x00000000002A0000-0x00000000002AF000-memory.dmp
memory/672-89-0x0000000000000000-mapping.dmp
memory/672-92-0x0000000071D81000-0x0000000071D84000-memory.dmp
memory/1732-91-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1644-90-0x0000000000000000-mapping.dmp
memory/672-93-0x000000006F801000-0x000000006F803000-memory.dmp
memory/672-94-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1940-96-0x0000000000000000-mapping.dmp
memory/1568-95-0x0000000000400000-0x000000000041A000-memory.dmp
C:\Users\Admin\Desktop\VAULT.hta
| MD5 | b71751d104ed8f256ae64a7d02821be0 |
| SHA1 | bc3e6ac19bf1431a5872597684b2982b8ba07d87 |
| SHA256 | 6a37244fbabb6238f178c7b769b3d0f15c93d70fece941b416c8e71140538004 |
| SHA512 | b3bee8dd51f874f5677dbb37989077776d0169d97760395d38ab52ac422ce3a9db78df3970a6c1ac6e18538d8e014fc72f3481964976a5f26b2c7e63efe0ffdf |
memory/1204-100-0x0000000000000000-mapping.dmp
memory/672-101-0x00000000707ED000-0x00000000707F8000-memory.dmp
memory/1116-102-0x0000000000000000-mapping.dmp
memory/872-104-0x0000000000000000-mapping.dmp
memory/1592-105-0x0000000000000000-mapping.dmp
memory/672-106-0x00000000707ED000-0x00000000707F8000-memory.dmp
memory/1948-107-0x0000000000000000-mapping.dmp
memory/1948-108-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp
memory/672-109-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/672-110-0x00000000707ED000-0x00000000707F8000-memory.dmp