Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 22:38
Static task
static1
Behavioral task
behavioral1
Sample
2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1.rtf
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1.rtf
Resource
win10v2004-20220721-en
General
-
Target
2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1.rtf
-
Size
676KB
-
MD5
d0bfa920f7237fd0a80c376e35e69987
-
SHA1
7a49bb30661eb90ad281f0248f7db26ddb4061b8
-
SHA256
2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1
-
SHA512
12d5803715f1f20d42902ef7720f91e716bae51fb6d3adee78706d62ea7a306d8538119dcffa5db23b31ad531763a533f04f437dc4742cffa60e2b3d29c2f1b0
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 2012 516 cmd.exe WINWORD.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process 1472 516 cmd.exe WINWORD.EXE -
Executes dropped EXE 2 IoCs
Processes:
exe.exeexe.exepid process 1676 exe.exe 1996 exe.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
exe.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ea3w5msa7m11ys.exe exe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ea3w5msa7m11ys.exe\DisableExceptionChainValidation exe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rtaamps.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeexe.exepid process 1900 cmd.exe 1676 exe.exe 1676 exe.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ea3w5msa7m11ys.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\ea3w5msa7m11ys.exe" explorer.exe -
Processes:
exe.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA exe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
exe.exeexplorer.exepid process 1996 exe.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
exe.exedescription pid process target process PID 1676 set thread context of 1996 1676 exe.exe exe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_2 C:\Users\Admin\appdata\local\temp\exe.exe nsis_installer_1 C:\Users\Admin\appdata\local\temp\exe.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\exe.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
exe.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString exe.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 980 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1868 taskkill.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
WINWORD.EXEexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 516 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
explorer.exepid process 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
exe.exeexe.exeexplorer.exepid process 1676 exe.exe 1996 exe.exe 1996 exe.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe 560 explorer.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
taskkill.exeexe.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1996 exe.exe Token: SeRestorePrivilege 1996 exe.exe Token: SeBackupPrivilege 1996 exe.exe Token: SeLoadDriverPrivilege 1996 exe.exe Token: SeCreatePagefilePrivilege 1996 exe.exe Token: SeShutdownPrivilege 1996 exe.exe Token: SeTakeOwnershipPrivilege 1996 exe.exe Token: SeChangeNotifyPrivilege 1996 exe.exe Token: SeCreateTokenPrivilege 1996 exe.exe Token: SeMachineAccountPrivilege 1996 exe.exe Token: SeSecurityPrivilege 1996 exe.exe Token: SeAssignPrimaryTokenPrivilege 1996 exe.exe Token: SeCreateGlobalPrivilege 1996 exe.exe Token: 33 1996 exe.exe Token: SeDebugPrivilege 560 explorer.exe Token: SeRestorePrivilege 560 explorer.exe Token: SeBackupPrivilege 560 explorer.exe Token: SeLoadDriverPrivilege 560 explorer.exe Token: SeCreatePagefilePrivilege 560 explorer.exe Token: SeShutdownPrivilege 560 explorer.exe Token: SeTakeOwnershipPrivilege 560 explorer.exe Token: SeChangeNotifyPrivilege 560 explorer.exe Token: SeCreateTokenPrivilege 560 explorer.exe Token: SeMachineAccountPrivilege 560 explorer.exe Token: SeSecurityPrivilege 560 explorer.exe Token: SeAssignPrimaryTokenPrivilege 560 explorer.exe Token: SeCreateGlobalPrivilege 560 explorer.exe Token: 33 560 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 516 WINWORD.EXE 516 WINWORD.EXE 516 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
WINWORD.EXEcmd.execmd.exeEQNEDT32.EXEcmd.execmd.exedescription pid process target process PID 516 wrote to memory of 2012 516 WINWORD.EXE cmd.exe PID 516 wrote to memory of 2012 516 WINWORD.EXE cmd.exe PID 516 wrote to memory of 2012 516 WINWORD.EXE cmd.exe PID 516 wrote to memory of 2012 516 WINWORD.EXE cmd.exe PID 2012 wrote to memory of 1900 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 1900 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 1900 2012 cmd.exe cmd.exe PID 2012 wrote to memory of 1900 2012 cmd.exe cmd.exe PID 516 wrote to memory of 1472 516 WINWORD.EXE cmd.exe PID 516 wrote to memory of 1472 516 WINWORD.EXE cmd.exe PID 516 wrote to memory of 1472 516 WINWORD.EXE cmd.exe PID 516 wrote to memory of 1472 516 WINWORD.EXE cmd.exe PID 1900 wrote to memory of 980 1900 cmd.exe timeout.exe PID 1900 wrote to memory of 980 1900 cmd.exe timeout.exe PID 1900 wrote to memory of 980 1900 cmd.exe timeout.exe PID 1900 wrote to memory of 980 1900 cmd.exe timeout.exe PID 1968 wrote to memory of 1696 1968 EQNEDT32.EXE cMD.exe PID 1968 wrote to memory of 1696 1968 EQNEDT32.EXE cMD.exe PID 1968 wrote to memory of 1696 1968 EQNEDT32.EXE cMD.exe PID 1968 wrote to memory of 1696 1968 EQNEDT32.EXE cMD.exe PID 1900 wrote to memory of 1676 1900 cmd.exe exe.exe PID 1900 wrote to memory of 1676 1900 cmd.exe exe.exe PID 1900 wrote to memory of 1676 1900 cmd.exe exe.exe PID 1900 wrote to memory of 1676 1900 cmd.exe exe.exe PID 1900 wrote to memory of 1868 1900 cmd.exe taskkill.exe PID 1900 wrote to memory of 1868 1900 cmd.exe taskkill.exe PID 1900 wrote to memory of 1868 1900 cmd.exe taskkill.exe PID 1900 wrote to memory of 1868 1900 cmd.exe taskkill.exe PID 1900 wrote to memory of 860 1900 cmd.exe reg.exe PID 1900 wrote to memory of 860 1900 cmd.exe reg.exe PID 1900 wrote to memory of 860 1900 cmd.exe reg.exe PID 1900 wrote to memory of 860 1900 cmd.exe reg.exe PID 1900 wrote to memory of 776 1900 cmd.exe reg.exe PID 1900 wrote to memory of 776 1900 cmd.exe reg.exe PID 1900 wrote to memory of 776 1900 cmd.exe reg.exe PID 1900 wrote to memory of 776 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1880 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1880 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1880 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1880 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1364 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1364 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1364 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1364 1900 cmd.exe reg.exe PID 1900 wrote to memory of 564 1900 cmd.exe reg.exe PID 1900 wrote to memory of 564 1900 cmd.exe reg.exe PID 1900 wrote to memory of 564 1900 cmd.exe reg.exe PID 1900 wrote to memory of 564 1900 cmd.exe reg.exe PID 1900 wrote to memory of 1256 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 1256 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 1256 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 1256 1900 cmd.exe cmd.exe PID 1256 wrote to memory of 320 1256 cmd.exe reg.exe PID 1256 wrote to memory of 320 1256 cmd.exe reg.exe PID 1256 wrote to memory of 320 1256 cmd.exe reg.exe PID 1256 wrote to memory of 320 1256 cmd.exe reg.exe PID 1900 wrote to memory of 1540 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 1540 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 1540 1900 cmd.exe cmd.exe PID 1900 wrote to memory of 1540 1900 cmd.exe cmd.exe PID 1540 wrote to memory of 884 1540 cmd.exe reg.exe PID 1540 wrote to memory of 884 1540 cmd.exe reg.exe PID 1540 wrote to memory of 884 1540 cmd.exe reg.exe PID 1540 wrote to memory of 884 1540 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1268
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2db91acf6453d9cd831395586466d7448945f1a8eb440000b725831ef4a24de1.rtf"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\apPdata\loCal\teMp\taSk.baT3⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\appdata\local\temp\2nd.bat4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT 15⤵
- Delays execution with timeout.exe
PID:980 -
C:\Users\Admin\appdata\local\temp\exe.exeC:\Users\Admin\appdata\local\temp\ExE.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1676 -
C:\Users\Admin\appdata\local\temp\exe.exeC:\Users\Admin\appdata\local\temp\ExE.exe6⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1996 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe7⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\SysWOW64\taskkill.exeTASKKILL /F /IM winword.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1868 -
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f5⤵PID:860
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f5⤵PID:776
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f5⤵PID:1880
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f5⤵PID:1364
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f5⤵PID:564
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"6⤵PID:320
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"6⤵PID:884
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵PID:1808
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"6⤵PID:1428
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵PID:1012
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"6⤵PID:1620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵PID:1580
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"6⤵PID:1604
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\apPdata\loCal\teMp\taSk.baT3⤵
- Process spawned unexpected child process
PID:1472
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1216
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1692346669773449524-928423002-1010073379481641021-804847515-804075916947845424"1⤵PID:2032
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\cMD.execMD Cmd /c %tmP%\TAsk.Bat & UUUUc2⤵PID:1696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD50a59cbcabc60f52d931e34bcb2824a47
SHA11616283dae6e5b94db9d178c4d4781f8faa184f9
SHA256641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a
SHA512fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2
-
Filesize
310KB
MD50a59cbcabc60f52d931e34bcb2824a47
SHA11616283dae6e5b94db9d178c4d4781f8faa184f9
SHA256641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a
SHA512fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2
-
Filesize
171B
MD56dc34de53453f0fa267653a69f34831c
SHA17b69e96fd1c5ac9063e973d8214286e8e3fb01e9
SHA2560b1212179f11b6672a53a67ad42d24cfafc1064b487b1a0cb5b3318df7cbeedf
SHA512370043219d716f0499bd3e782132a16fff0e331a66960dcbc892e7321160f5d88ed335760f5b29da3437f7c501732d9dd21a3c1b2d8c0d798fc04f1568813532
-
Filesize
1KB
MD56ff10253be7f8323ce4bf62b75e16ffe
SHA1c5f0a5e8886b142009313330e56aaf208d65daff
SHA256961cb46c41ef78ed21fbac361e6fe247bee82c03db354007a55fcfab8b5b3b3d
SHA512c4423cc288cfb46ee50d57ab14295775527f17559f9a20e864eb416028b546632bb49526b508ce7969792e741aa929d54b71472a50bb1876a5d82f5bd2a76ff9
-
Filesize
310KB
MD50a59cbcabc60f52d931e34bcb2824a47
SHA11616283dae6e5b94db9d178c4d4781f8faa184f9
SHA256641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a
SHA512fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2
-
Filesize
310KB
MD50a59cbcabc60f52d931e34bcb2824a47
SHA11616283dae6e5b94db9d178c4d4781f8faa184f9
SHA256641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a
SHA512fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2
-
Filesize
310KB
MD50a59cbcabc60f52d931e34bcb2824a47
SHA11616283dae6e5b94db9d178c4d4781f8faa184f9
SHA256641915b9fb3916cf59793f98822506595e085b4b9be0c4a63699c976b9b0bf0a
SHA512fce4e5a1dd20201bd3a00a0fab0ad1d5f6a537907b90bd7539027e327a5b21e2e82cadd692c3773f9f04310d99649b2e4a3a5f889cc2c796d2820b760a9c2ca2
-
Filesize
11KB
MD53f176d1ee13b0d7d6bd92e1c7a0b9bae
SHA1fe582246792774c2c9dd15639ffa0aca90d6fd0b
SHA256fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
SHA5120a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6