Analysis
-
max time kernel
199s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 05:01
Static task
static1
Behavioral task
behavioral1
Sample
328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290.rtf
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290.rtf
Resource
win10v2004-20220721-en
General
-
Target
328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290.rtf
-
Size
734KB
-
MD5
6d36c15327846d69d6c0687a6275613e
-
SHA1
a4be38a5f4c266c132d7cf132d6064036b2fc6aa
-
SHA256
328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290
-
SHA512
901fdffb78e418a8a58c23cbe0fe6aef833edcdedc1c3b0b02c48762ee9fa1dc2466d908930b03ab37c346bedf76f99c6876fa67c49a4f90a1d5cfaa31f64a70
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Executes dropped EXE 2 IoCs
Processes:
mondi.exemondi.eXepid process 1108 mondi.exe 980 mondi.eXe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
mondi.eXeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ceek3yi9ee53o9a.exe mondi.eXe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ceek3yi9ee53o9a.exe\DisableExceptionChainValidation mondi.eXe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ucok.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exemondi.exepid process 332 cmd.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\ceek3yi9ee53o9a.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\ceek3yi9ee53o9a.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
mondi.eXedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mondi.eXe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
mondi.eXeexplorer.exepid process 980 mondi.eXe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mondi.exedescription pid process target process PID 1108 set thread context of 980 1108 mondi.exe mondi.eXe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_2 \Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_1 \Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\mondi.exe nsis_installer_2 -
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mondi.eXeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mondi.eXe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mondi.eXe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1888 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1224 taskkill.exe -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
WINWORD.EXEexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Main explorer.exe Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE -
NTFS ADS 3 IoCs
Processes:
cMd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\hondi.cmd:Zone.Identifier cMd.exe File created C:\Users\Admin\AppData\Local\Temp\mondi.eXe:Zone.Identifier cmd.exe File created C:\Users\Admin\AppData\Local\Temp\gondi.doc:Zone.Identifier cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1172 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mondi.exepid process 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe 1108 mondi.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
mondi.eXeexplorer.exepid process 980 mondi.eXe 980 mondi.eXe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe 1476 explorer.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
taskkill.exemondi.eXeexplorer.exedescription pid process Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 980 mondi.eXe Token: SeRestorePrivilege 980 mondi.eXe Token: SeBackupPrivilege 980 mondi.eXe Token: SeLoadDriverPrivilege 980 mondi.eXe Token: SeCreatePagefilePrivilege 980 mondi.eXe Token: SeShutdownPrivilege 980 mondi.eXe Token: SeTakeOwnershipPrivilege 980 mondi.eXe Token: SeChangeNotifyPrivilege 980 mondi.eXe Token: SeCreateTokenPrivilege 980 mondi.eXe Token: SeMachineAccountPrivilege 980 mondi.eXe Token: SeSecurityPrivilege 980 mondi.eXe Token: SeAssignPrimaryTokenPrivilege 980 mondi.eXe Token: SeCreateGlobalPrivilege 980 mondi.eXe Token: 33 980 mondi.eXe Token: SeDebugPrivilege 1476 explorer.exe Token: SeRestorePrivilege 1476 explorer.exe Token: SeBackupPrivilege 1476 explorer.exe Token: SeLoadDriverPrivilege 1476 explorer.exe Token: SeCreatePagefilePrivilege 1476 explorer.exe Token: SeShutdownPrivilege 1476 explorer.exe Token: SeTakeOwnershipPrivilege 1476 explorer.exe Token: SeChangeNotifyPrivilege 1476 explorer.exe Token: SeCreateTokenPrivilege 1476 explorer.exe Token: SeMachineAccountPrivilege 1476 explorer.exe Token: SeSecurityPrivilege 1476 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1476 explorer.exe Token: SeCreateGlobalPrivilege 1476 explorer.exe Token: 33 1476 explorer.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1172 WINWORD.EXE 1172 WINWORD.EXE 1172 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EQNEDT32.EXEcMd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 844 wrote to memory of 1304 844 EQNEDT32.EXE cMd.exe PID 844 wrote to memory of 1304 844 EQNEDT32.EXE cMd.exe PID 844 wrote to memory of 1304 844 EQNEDT32.EXE cMd.exe PID 844 wrote to memory of 1304 844 EQNEDT32.EXE cMd.exe PID 1304 wrote to memory of 332 1304 cMd.exe cmd.exe PID 1304 wrote to memory of 332 1304 cMd.exe cmd.exe PID 1304 wrote to memory of 332 1304 cMd.exe cmd.exe PID 1304 wrote to memory of 332 1304 cMd.exe cmd.exe PID 332 wrote to memory of 1888 332 cmd.exe timeout.exe PID 332 wrote to memory of 1888 332 cmd.exe timeout.exe PID 332 wrote to memory of 1888 332 cmd.exe timeout.exe PID 332 wrote to memory of 1888 332 cmd.exe timeout.exe PID 332 wrote to memory of 1108 332 cmd.exe mondi.exe PID 332 wrote to memory of 1108 332 cmd.exe mondi.exe PID 332 wrote to memory of 1108 332 cmd.exe mondi.exe PID 332 wrote to memory of 1108 332 cmd.exe mondi.exe PID 332 wrote to memory of 1224 332 cmd.exe taskkill.exe PID 332 wrote to memory of 1224 332 cmd.exe taskkill.exe PID 332 wrote to memory of 1224 332 cmd.exe taskkill.exe PID 332 wrote to memory of 1224 332 cmd.exe taskkill.exe PID 332 wrote to memory of 1964 332 cmd.exe reg.exe PID 332 wrote to memory of 1964 332 cmd.exe reg.exe PID 332 wrote to memory of 1964 332 cmd.exe reg.exe PID 332 wrote to memory of 1964 332 cmd.exe reg.exe PID 332 wrote to memory of 1956 332 cmd.exe cmd.exe PID 332 wrote to memory of 1956 332 cmd.exe cmd.exe PID 332 wrote to memory of 1956 332 cmd.exe cmd.exe PID 332 wrote to memory of 1956 332 cmd.exe cmd.exe PID 1956 wrote to memory of 2016 1956 cmd.exe reg.exe PID 1956 wrote to memory of 2016 1956 cmd.exe reg.exe PID 1956 wrote to memory of 2016 1956 cmd.exe reg.exe PID 1956 wrote to memory of 2016 1956 cmd.exe reg.exe PID 332 wrote to memory of 1060 332 cmd.exe reg.exe PID 332 wrote to memory of 1060 332 cmd.exe reg.exe PID 332 wrote to memory of 1060 332 cmd.exe reg.exe PID 332 wrote to memory of 1060 332 cmd.exe reg.exe PID 332 wrote to memory of 540 332 cmd.exe cmd.exe PID 332 wrote to memory of 540 332 cmd.exe cmd.exe PID 332 wrote to memory of 540 332 cmd.exe cmd.exe PID 332 wrote to memory of 540 332 cmd.exe cmd.exe PID 540 wrote to memory of 284 540 cmd.exe reg.exe PID 540 wrote to memory of 284 540 cmd.exe reg.exe PID 540 wrote to memory of 284 540 cmd.exe reg.exe PID 540 wrote to memory of 284 540 cmd.exe reg.exe PID 332 wrote to memory of 772 332 cmd.exe reg.exe PID 332 wrote to memory of 772 332 cmd.exe reg.exe PID 332 wrote to memory of 772 332 cmd.exe reg.exe PID 332 wrote to memory of 772 332 cmd.exe reg.exe PID 332 wrote to memory of 1896 332 cmd.exe cmd.exe PID 332 wrote to memory of 1896 332 cmd.exe cmd.exe PID 332 wrote to memory of 1896 332 cmd.exe cmd.exe PID 332 wrote to memory of 1896 332 cmd.exe cmd.exe PID 1896 wrote to memory of 1864 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1864 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1864 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1864 1896 cmd.exe reg.exe PID 332 wrote to memory of 1424 332 cmd.exe reg.exe PID 332 wrote to memory of 1424 332 cmd.exe reg.exe PID 332 wrote to memory of 1424 332 cmd.exe reg.exe PID 332 wrote to memory of 1424 332 cmd.exe reg.exe PID 332 wrote to memory of 2020 332 cmd.exe cmd.exe PID 332 wrote to memory of 2020 332 cmd.exe cmd.exe PID 332 wrote to memory of 2020 332 cmd.exe cmd.exe PID 332 wrote to memory of 2020 332 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1280
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\328b29b940554b497693b7dc4b1f74dc58dceb0619a33ed4aeeafa09b95af290.rtf"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1172
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1184
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cMd.execMd /k %tEmP%\dqfm.cmd ? aaaac2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\hondi.cmD3⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\timeout.exeTIMEOUT 14⤵
- Delays execution with timeout.exe
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\mondi.exeC:\Users\Admin\AppData\Local\Temp\mondi.eXe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\mondi.eXeC:\Users\Admin\AppData\Local\Temp\mondi.eXe5⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\taskkill.exeTASkKILL /F /IM winword.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224 -
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Resiliency /f4⤵PID:1964
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"5⤵PID:2016
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Resiliency /f4⤵PID:1060
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"4⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"5⤵PID:284
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Resiliency /f4⤵PID:772
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"4⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\File MRU" /v "Item 1"5⤵PID:1864
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Resiliency /f4⤵PID:1424
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"4⤵PID:2020
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"5⤵PID:1004
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Resiliency /f4⤵PID:1472
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"4⤵PID:576
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"5⤵PID:1976
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency /f4⤵PID:756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"4⤵PID:1940
-
C:\Windows\SysWOW64\reg.exeREG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"5⤵PID:1872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1906132391-389951473-14306924981615920992-2112124796-992308298799363397-99359662"1⤵PID:1944
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
186B
MD529324996d120283c617a7a142b5ba980
SHA143aa940b29713a6e75f30a6b614352c3bba24d6c
SHA2562ab6f8f8b4f358a0f821de0710c3227dcbd1a3fa31172fda39ab44052a6cf021
SHA51221c4d36887c72d01f9d2913c61e9d443169351a1c97b81a503712f0a224d50484100493dc971121ab71343b372440c0633fb062bb4930d1e6f53d455c9352b48
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
328KB
MD5f807bc3379e9020ea229c1757c8bc257
SHA11749d613fe4159efcd3fdc3c4dfb621bd447be5e
SHA256df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198
SHA512b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c
-
Filesize
328KB
MD5f807bc3379e9020ea229c1757c8bc257
SHA11749d613fe4159efcd3fdc3c4dfb621bd447be5e
SHA256df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198
SHA512b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c
-
Filesize
328KB
MD5f807bc3379e9020ea229c1757c8bc257
SHA11749d613fe4159efcd3fdc3c4dfb621bd447be5e
SHA256df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198
SHA512b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c
-
Filesize
328KB
MD5f807bc3379e9020ea229c1757c8bc257
SHA11749d613fe4159efcd3fdc3c4dfb621bd447be5e
SHA256df48b77715079cb66cd32cd56cd59367ebabfa81210919cfcb45795e928b2198
SHA512b2f8ef3024c7af57239b2e5f769a8d018fb284361aab333abc8277d87420cd4830bc20de2fb4913c0cd4bfe3660ba458c9b7656ce6d13a6e12fac5d1d84cc93c
-
Filesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
Filesize
12KB
MD52bca48f9681de2a01180e3e3a4170238
SHA1e097d8f8c9c51c777e7e1f720624ca9a0961b821
SHA2565f2d209fb93640bf6c81cbddaa00d1c2e120228e7fa34161ad2786e3f0f8b1cb
SHA5125860b0d09cb0393efb8ea11d34de4a78a24adcb779c516ff7657cf44e5c54fbaeb343c9d005275d5915733ac149981cdc2af2f7d3f5db5d51cbd953cae073165