Malware Analysis Report

2025-01-02 14:12

Sample ID 220731-ltdycsaea9
Target 72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b
SHA256 72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b
Tags
hawkeye collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b

Threat Level: Known bad

The file 72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b was found to be: Known bad.

Malicious Activity Summary

hawkeye collection keylogger persistence spyware stealer trojan

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Adds Run key to start application

Accesses Microsoft Outlook accounts

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of SetWindowsHookEx

NTFS ADS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Launches Equation Editor

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-31 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-31 09:49

Reported

2022-07-31 13:18

Platform

win7-20220718-en

Max time kernel

140s

Max time network

129s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A.X N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A.X N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A.X N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\A.X N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\26 C:\Users\Admin\AppData\Local\Temp\A.X N/A
File opened for modification C:\Windows\SysWOW64\28 C:\Users\Admin\AppData\Local\Temp\A.X N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 804 set thread context of 1452 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Users\Admin\AppData\Local\Temp\A.X
PID 1452 set thread context of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 set thread context of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A.X N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A.X N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 320 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 320 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 320 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 320 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Windows\SysWOW64\cmd.exe
PID 320 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\A.X
PID 320 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\A.X
PID 320 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\A.X
PID 320 wrote to memory of 804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\A.X
PID 804 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Users\Admin\AppData\Local\Temp\A.X
PID 804 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Users\Admin\AppData\Local\Temp\A.X
PID 804 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Users\Admin\AppData\Local\Temp\A.X
PID 804 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Users\Admin\AppData\Local\Temp\A.X
PID 1340 wrote to memory of 996 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1340 wrote to memory of 996 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1340 wrote to memory of 996 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1340 wrote to memory of 996 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1452 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\A.X C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf"

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd /c %tmp%\A.X

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Local\Temp\A.X

C:\Users\Admin\AppData\Local\Temp\A.X

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe

"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding

C:\Users\Admin\AppData\Local\Temp\A.X

:\Users\Admin\AppData\Local\Temp\A.X

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp

Files

memory/1340-54-0x00000000721D1000-0x00000000721D4000-memory.dmp

memory/1340-55-0x000000006FC51000-0x000000006FC53000-memory.dmp

memory/1340-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1340-57-0x00000000750B1000-0x00000000750B3000-memory.dmp

memory/1340-58-0x0000000070C3D000-0x0000000070C48000-memory.dmp

memory/1704-59-0x000000002F701000-0x000000002F704000-memory.dmp

memory/1704-62-0x0000000070C3D000-0x0000000070C48000-memory.dmp

memory/320-65-0x0000000000000000-mapping.dmp

memory/1704-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

\Users\Admin\AppData\Local\Temp\A.X

MD5 dde134749372009281daa4070762871b
SHA1 1f436857eafa4c42ddcf7024b247d92904ee67b0
SHA256 c970b71df8bc07dbd08e4ee90bc3d6a33ca94a0895bd3a6038567c7cac1c4420
SHA512 6837f4ad795a880531b2f0b7f3d080772883f75c9767fa7a7c98799e5453c48e4c26a5b71521bfb69868ffa8d9133c6fec3818b68d1fde1f795af72d3eb18812

C:\Users\Admin\AppData\Local\Temp\A.X

MD5 dde134749372009281daa4070762871b
SHA1 1f436857eafa4c42ddcf7024b247d92904ee67b0
SHA256 c970b71df8bc07dbd08e4ee90bc3d6a33ca94a0895bd3a6038567c7cac1c4420
SHA512 6837f4ad795a880531b2f0b7f3d080772883f75c9767fa7a7c98799e5453c48e4c26a5b71521bfb69868ffa8d9133c6fec3818b68d1fde1f795af72d3eb18812

memory/804-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\A.X

MD5 dde134749372009281daa4070762871b
SHA1 1f436857eafa4c42ddcf7024b247d92904ee67b0
SHA256 c970b71df8bc07dbd08e4ee90bc3d6a33ca94a0895bd3a6038567c7cac1c4420
SHA512 6837f4ad795a880531b2f0b7f3d080772883f75c9767fa7a7c98799e5453c48e4c26a5b71521bfb69868ffa8d9133c6fec3818b68d1fde1f795af72d3eb18812

C:\Users\Admin\AppData\Local\Temp\A.X

MD5 dde134749372009281daa4070762871b
SHA1 1f436857eafa4c42ddcf7024b247d92904ee67b0
SHA256 c970b71df8bc07dbd08e4ee90bc3d6a33ca94a0895bd3a6038567c7cac1c4420
SHA512 6837f4ad795a880531b2f0b7f3d080772883f75c9767fa7a7c98799e5453c48e4c26a5b71521bfb69868ffa8d9133c6fec3818b68d1fde1f795af72d3eb18812

memory/1704-73-0x0000000070C3D000-0x0000000070C48000-memory.dmp

memory/1756-77-0x000000002F651000-0x000000002F654000-memory.dmp

memory/1340-80-0x000000006AF81000-0x000000006AF83000-memory.dmp

memory/1340-81-0x0000000070C3D000-0x0000000070C48000-memory.dmp

memory/804-82-0x00000000003F0000-0x00000000003F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\A.X

MD5 dde134749372009281daa4070762871b
SHA1 1f436857eafa4c42ddcf7024b247d92904ee67b0
SHA256 c970b71df8bc07dbd08e4ee90bc3d6a33ca94a0895bd3a6038567c7cac1c4420
SHA512 6837f4ad795a880531b2f0b7f3d080772883f75c9767fa7a7c98799e5453c48e4c26a5b71521bfb69868ffa8d9133c6fec3818b68d1fde1f795af72d3eb18812

memory/1452-86-0x000000000048DBD6-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A.X

MD5 dde134749372009281daa4070762871b
SHA1 1f436857eafa4c42ddcf7024b247d92904ee67b0
SHA256 c970b71df8bc07dbd08e4ee90bc3d6a33ca94a0895bd3a6038567c7cac1c4420
SHA512 6837f4ad795a880531b2f0b7f3d080772883f75c9767fa7a7c98799e5453c48e4c26a5b71521bfb69868ffa8d9133c6fec3818b68d1fde1f795af72d3eb18812

memory/1452-91-0x0000000000400000-0x000000000047B000-memory.dmp

memory/1452-94-0x0000000002570000-0x0000000002606000-memory.dmp

memory/1452-97-0x0000000076F90000-0x0000000077110000-memory.dmp

memory/804-98-0x0000000076F90000-0x0000000077110000-memory.dmp

memory/996-99-0x0000000000000000-mapping.dmp

memory/1452-100-0x0000000069AC0000-0x000000006A06B000-memory.dmp

memory/996-101-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

memory/1452-102-0x0000000076F90000-0x0000000077110000-memory.dmp

memory/1452-103-0x0000000069AC0000-0x000000006A06B000-memory.dmp

memory/1340-105-0x0000000070C3D000-0x0000000070C48000-memory.dmp

memory/1772-106-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1772-107-0x0000000000411654-mapping.dmp

memory/1772-110-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1772-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1452-111-0x0000000006885000-0x0000000006896000-memory.dmp

memory/1744-113-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1744-114-0x0000000000442628-mapping.dmp

memory/1744-117-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1744-118-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1744-119-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1452-121-0x0000000006885000-0x0000000006896000-memory.dmp

memory/1772-122-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-31 09:49

Reported

2022-07-31 13:20

Platform

win10v2004-20220721-en

Max time kernel

169s

Max time network

213s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\{BE7937F5-3211-42FE-BEA7-B964C1F605DE}\A.X:Zone.Identifier C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\72b07835503273dc7f135f14dfe3a5ae6eae19675f19f2e3147a89123018464b.rtf" /o ""

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" -Embedding

C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe

"C:\Program Files\Microsoft Office\Root\Office16\excelcnv.exe" -Embedding

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
GB 51.104.15.253:443 tcp
US 8.253.146.120:80 tcp
US 8.249.185.254:80 tcp
US 8.249.185.254:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp

Files

memory/1820-130-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/1820-131-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/1820-132-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/1820-133-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/1820-134-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/1820-135-0x00007FFE563C0000-0x00007FFE563D0000-memory.dmp

memory/1820-136-0x00007FFE563C0000-0x00007FFE563D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

MD5 98194ef3188aac75deaa2e16f4a43eb7
SHA1 31958ae66572514ca49b43082f085813591328b1
SHA256 2b8d1f010f6492e8fc6d3432ff8d0a1213adc644046515d2ddabf674876323bc
SHA512 186e9b12701b4bcdd02ff0335a3107c9731ec1eb2fbf4d72a7a038fae23a06d1b1f6c6e2a9ad9e4937147a8ff5ba4d740311c6cd9e7a72a2518ae6d2418632c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

MD5 84686e3a5d69c4cedfe10394eebbb173
SHA1 22759a15b37e7049cfb7a6b7d34a986d2ed8c41a
SHA256 b1022323cbbbc6929fbe0c9d70fc48b503f52d37831a3bdfe1c4acffbfe540b0
SHA512 63732252788384d0c61efff04683a7517def2c0ee561b7608156dedf32a3af3fb3fabd7c9920c25e95bb4ee31652eaef61c760064546a4c87e438e41db6d0cf5

memory/2224-148-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/2224-149-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/2224-150-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/2224-151-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\54B8D47B-AAB5-4AB8-82FC-1617ED222888

MD5 00ac1c4d3377520ad51f78f35cabe62e
SHA1 b11534cef95ef2c0578256702688da70c7d153e1
SHA256 11c310e2104db8fe0669f4376ac84a75c19ce08bcc1c173a656f232938b1058f
SHA512 c08d0429df9c65e4b7f8679afc2cdf4d05f2f94c6b4f03e22e65bf85aa07619f376cdc2a916828e5c44ae356f8166bbc43fed0773b3a654c6510b160c7002d78

memory/3440-155-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/3440-156-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/3440-157-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/3440-158-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/2224-160-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp

memory/2224-161-0x00007FFE58890000-0x00007FFE588A0000-memory.dmp