e335af83d768498505957df217a1c46c1a0ee6cbdf884d7a11166831dbd5e825

Analysis

max time kernel
94s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e335af83d768498505957df217a1c46c1a0ee6cbdf884d7a11166831dbd5e825.rtf
Size

371KB
MD5

ad0ef249b1524f4293e6c76a9d2ac10d
SHA1

9c85cb7855e7d6aba679551da109d12833d9f06d
SHA256

e335af83d768498505957df217a1c46c1a0ee6cbdf884d7a11166831dbd5e825
SHA512

94ee5621fdf019d419c6b936cb65afdbf8639c9df573c0e4d5465a8bcd2a86e843ec77271c4e145b26e5f9a82b937a81b337cbffc59c3540ba4f83d9ce7fa6b7
SSDEEP

6144:1YabHXFKU9/aFh4EBEpxNQQgt7B4rFLnwPDreksv50mir3:aIX1NG3EpxNQ3SBLnwWkUIz

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1744	193D.tmp
688	193D.tmp

Loads dropped DLL 3 IoCs

pid	Process
620	WINWORD.EXE
620	WINWORD.EXE
1744	193D.tmp

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 688	1744	193D.tmp	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1648	1192	WerFault.exe	20

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	winword.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	winword.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	winword.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	winword.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	winword.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	winword.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	winword.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	winword.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	winword.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	winword.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	winword.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
620	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
688	193D.tmp
688	193D.tmp
688	193D.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	193D.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
620	WINWORD.EXE
688	193D.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
688	193D.tmp

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
620	WINWORD.EXE
620	WINWORD.EXE
1856	winword.exe
1856	winword.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1904	620	WINWORD.EXE	27
PID 620 wrote to memory of 1904	620	WINWORD.EXE	27
PID 620 wrote to memory of 1904	620	WINWORD.EXE	27
PID 620 wrote to memory of 1904	620	WINWORD.EXE	27
PID 620 wrote to memory of 1744	620	WINWORD.EXE	28
PID 620 wrote to memory of 1744	620	WINWORD.EXE	28
PID 620 wrote to memory of 1744	620	WINWORD.EXE	28
PID 620 wrote to memory of 1744	620	WINWORD.EXE	28
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 1744 wrote to memory of 688	1744	193D.tmp	29
PID 620 wrote to memory of 1856	620	WINWORD.EXE	30
PID 620 wrote to memory of 1856	620	WINWORD.EXE	30
PID 620 wrote to memory of 1856	620	WINWORD.EXE	30
PID 620 wrote to memory of 1856	620	WINWORD.EXE	30
PID 688 wrote to memory of 1192	688	193D.tmp	20

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e335af83d768498505957df217a1c46c1a0ee6cbdf884d7a11166831dbd5e825.rtf"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\193D.tmp
  C:\Users\Admin\AppData\Local\Temp\193D.tmp
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\193D.tmp
    "C:\Users\Admin\AppData\Local\Temp\193D.tmp"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:688
- C:\Program Files (x86)\Microsoft Office\Office14\winword.exe
  winword C:\Users\Admin\AppData\Local\Temp\cv.doc
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1856

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1192 -s 3048
  2⤵
  - Program crash
  PID:1648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\193D.tmp

Filesize
167KB

MD5
62e25cc76291a3f348324172ff306ba0

SHA1
62d644ac17ac321ee4ade014099390135e49e2e6

SHA256
83f4b9560085c1f8eee3c43235c74c9152289ffe8cae141f80f1fba9e26d8281

SHA512
c8888425af8431d642b34573417b112013e539aec4def61070164c99773ebf8b202a52ce69e31036fbdf1af54fbcdf58d811061e6df7ae66ca7d8db96022f87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\193D.tmp

Filesize
167KB

MD5
62e25cc76291a3f348324172ff306ba0

SHA1
62d644ac17ac321ee4ade014099390135e49e2e6

SHA256
83f4b9560085c1f8eee3c43235c74c9152289ffe8cae141f80f1fba9e26d8281

SHA512
c8888425af8431d642b34573417b112013e539aec4def61070164c99773ebf8b202a52ce69e31036fbdf1af54fbcdf58d811061e6df7ae66ca7d8db96022f87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\193D.tmp

Filesize
167KB

MD5
62e25cc76291a3f348324172ff306ba0

SHA1
62d644ac17ac321ee4ade014099390135e49e2e6

SHA256
83f4b9560085c1f8eee3c43235c74c9152289ffe8cae141f80f1fba9e26d8281

SHA512
c8888425af8431d642b34573417b112013e539aec4def61070164c99773ebf8b202a52ce69e31036fbdf1af54fbcdf58d811061e6df7ae66ca7d8db96022f87e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cv.doc

Filesize
30KB

MD5
14b0bc97f9de5ecca1b75985750eeaa9

SHA1
3905da62eac43b926b3483ab8556593aaea3e6f5

SHA256
da1982f3cf68a49dd1785dad24f1eb571c7d8b618b42f42dd9c199386e33c966

SHA512
7afbefd433baf65790430c49af0ad12db5d727920d403eb80daec65cc1e46e777e9336ad080a9508a670d8dc7d9ab59e402ab6272564bd9f8caff1de2d6903c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\MSO1033.acl

Filesize
36KB

MD5
cd3abd2793280e5b9fa898b60b04264a

SHA1
4a71208ce88b60b2fbb70ea5f1069f7327b1523c

SHA256
3603adf23348be94221f087359de5342b1a207d4cc051f6ec8d415adf0fffee9

SHA512
61903a109476e2a9e47fcdabebb26cefb4cead3c2514fece8d0b31b2b47419365add7e3eeaafa5ce61fb5e76fd8ecb5862514f78957857e1eb23ae252154e91b

Download Submit
\Users\Admin\AppData\Local\Temp\193D.tmp

Filesize
167KB

MD5
62e25cc76291a3f348324172ff306ba0

SHA1
62d644ac17ac321ee4ade014099390135e49e2e6

SHA256
83f4b9560085c1f8eee3c43235c74c9152289ffe8cae141f80f1fba9e26d8281

SHA512
c8888425af8431d642b34573417b112013e539aec4def61070164c99773ebf8b202a52ce69e31036fbdf1af54fbcdf58d811061e6df7ae66ca7d8db96022f87e

Download Submit
\Users\Admin\AppData\Local\Temp\193D.tmp

Filesize
167KB

MD5
62e25cc76291a3f348324172ff306ba0

SHA1
62d644ac17ac321ee4ade014099390135e49e2e6

SHA256
83f4b9560085c1f8eee3c43235c74c9152289ffe8cae141f80f1fba9e26d8281

SHA512
c8888425af8431d642b34573417b112013e539aec4def61070164c99773ebf8b202a52ce69e31036fbdf1af54fbcdf58d811061e6df7ae66ca7d8db96022f87e

Download Submit
\Users\Admin\AppData\Local\Temp\193D.tmp

Filesize
167KB

MD5
62e25cc76291a3f348324172ff306ba0

SHA1
62d644ac17ac321ee4ade014099390135e49e2e6

SHA256
83f4b9560085c1f8eee3c43235c74c9152289ffe8cae141f80f1fba9e26d8281

SHA512
c8888425af8431d642b34573417b112013e539aec4def61070164c99773ebf8b202a52ce69e31036fbdf1af54fbcdf58d811061e6df7ae66ca7d8db96022f87e

Download Submit
memory/620-57-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-54-0x0000000072E21000-0x0000000072E24000-memory.dmp

Filesize
12KB

Download
memory/620-55-0x00000000708A1000-0x00000000708A3000-memory.dmp

Filesize
8KB

Download
memory/620-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/620-65-0x000000006BE51000-0x000000006BE53000-memory.dmp

Filesize
8KB

Download
memory/620-66-0x0000000002460000-0x00000000024BD000-memory.dmp

Filesize
372KB

Download
memory/620-58-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/688-70-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-76-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-72-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-87-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-69-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-78-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-79-0x0000000000406400-mapping.dmp

Download
memory/688-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/688-75-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1192-94-0x0000000002A70000-0x0000000002A86000-memory.dmp

Filesize
88KB

Download
memory/1744-63-0x0000000000000000-mapping.dmp

Download
memory/1856-82-0x0000000000000000-mapping.dmp

Download
memory/1856-92-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/1856-93-0x000000007188D000-0x0000000071898000-memory.dmp

Filesize
44KB

Download
memory/1904-60-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1904-59-0x0000000000000000-mapping.dmp

Download