Analysis Overview
SHA256
1c42f2f3c5c890651be771c2d7a9e98818f76c4f5373f1568b959ea4be0ecd91
Threat Level: Likely malicious
The file Officesample.zip was found to be: Likely malicious.
Malicious Activity Summary
Grants admin privileges
Sets file execution options in registry
Possible privilege escalation attempt
Suspicious Office macro
Stops running service(s)
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Registers COM server for autorun
UPX packed file
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SetWindowsHookEx
Modifies registry class
Runs regedit.exe
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-22 13:12
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win7-20240215-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Windows\regedit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ThreadingModel = "Both" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ThreadingModel = "Both" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 | C:\Windows\regedit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysWOW64\FM20CHS.DLL | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\FM20CHS.DLL | C:\Windows\System32\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures\Office.odf | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\WWINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ALRTINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO99LWIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033\MSOINTL30.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEODBCI.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEEXCH.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODEXL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEDAO.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIWIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.CNT | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\2052\EEINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIRES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Filters | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\xlsrvintl.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEERR.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEWDAT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBEUIINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEXBE.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEWSTR.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODTXT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXPSRV.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\eqnedt32.exe.manifest | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures\Office.odf | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\msgfilt.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\VBAJET32.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEDAO.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\zh-cn | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEWSTR.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOIDRES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\PortalConnectCore.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBEUIINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\MTEXTRA.TTF | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\odffilt.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\msointl30.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEOLEDB.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_PDF.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBE7INTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EEINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODDBS.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO30WIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODEXL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_XPS.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052\PortalConnect.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEEXCL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.Office.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c\Policy.14.0.office.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Extensibility | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\mscomctl | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\SHELLNEW | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\office\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\SHELLNEW\EXCEL.XLS | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSDATASRC | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.office.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\mshta.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\mshta.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}\AlternateCLSID = "{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\AlternateCLSID = "{00024522-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F}\Compatibility Flags = "1024" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\Compatibility Flags = "1024" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\system32\mshta.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.8\shell\OnenotePrintto | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\protocol\StdFileEditing | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\protocol\StdFileEditing\SetDataFormats | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.OpenDocumentText.12\protocol\StdFileEditing\RequestDataFormats\ = "NoteshNote,NotesDocAction" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020914-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0341-0000-0000-C000-000000000046}\ = "Script" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsm\PerceivedType = "document" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats\GetSet\2\ = "1,1,1,3" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E2AB674-BB21-4CC2-ADE5-092DA15B51FF}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FM20.DLL" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\Version | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020941-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1715-0000-0000-C000-000000000046}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B0E334D-B734-458A-A041-B528D031D4E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Print\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xll\ = "Excel.XLL" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\ = "SlideRange" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.12\shell\OpenAsReadOnly\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FFA84BB-A350-4442-BB53-A43653459A84}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\TypeLib\ = "{AC2DE821-36A2-11CF-8053-00AA006009FA}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\Verb\0\ = "&Edit,0,2" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Windows\\SysWOW64\\msohtmed.exe\" /p %1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.16\CLSID | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020803-0000-0000-C000-000000000046}\Verb\1\ = "&Open,0,2" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template\CurVer\ = "Word.Template.12" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209B9-0000-0000-C000-000000000046}\ = "_Global" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Edit\ddeexec | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBC51762-A8ED-11D3-A0DD-00C04F68712B}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5970C574-EB8C-11CD-8701-00AA003F0F07}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DataFormats\DefaultFile | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020910-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1523700-6128-101B-AF4E-00AA003F0F07}\TypeLib | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002093C-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03C4-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ELMFile\DefaultIcon\ = "D:\\office2016\\icons\\misc.exe,6" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-msexcel | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ms-powerpoint\DefaultIcon\ = "D:\\office2016\\Office16\\POWERPNT.EXE,0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\Show | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShow.12\shell\ViewProtected | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\DataFormats\GetSet\1 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020967-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493455-5A91-11CF-8700-00AA0060263B} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2B83A65-B061-4469-83B6-8877437CB8A0}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC20920-DA4E-11CE-B943-00AA006887B4}\InprocServer32\ = "C:\\Windows\\sysWOW64\\FM20.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.UriLink.16\DefaultIcon\ = "D:\\office2016\\Office16\\MSACCESS.EXE,0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Access.WizardDataFile.16\shell\Open\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats\GetSet\3\ = "3,1,32,1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{352840A9-AF7D-4CA4-87FC-21C68FDAB3E4}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E978-E47C-11CD-8701-00AA003F0F07}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0354-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0002E157-0000-0000-C000-000000000046}\5.3\0\win32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020827-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\DataFormats\GetSet\0\ = "3,1,32,1" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03CB-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E954-E47C-11CD-8701-00AA003F0F07}\TypeLib\ = "{4AFFC9A0-5F99-101B-AF4E-00AA003F0F07}" | C:\Windows\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd"
C:\Windows\system32\mode.com
mode con: cols=80 lines=22
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "5."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.2."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.3."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.4."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "10."
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd""","::",,"runas",1)(window.close)
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd" ::
C:\Windows\system32\mode.com
mode con: cols=80 lines=22
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "5."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.2."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.3."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.4."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "10."
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""
C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"
C:\Windows\regedit.exe
regedit /s ospp\unist.dat
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" e -y "ospp\QuickToobar.7z" -o"C:\Users\Admin\AppData\Local\Microsoft\Office"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\net.7z" -o"C:\Program Files (x86)\Microsoft.NET"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\netGAC.7z" -o"C:\Windows\assembly"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\MShared.7z" -o"C:\Program Files (x86)\Common Files\Microsoft Shared"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\ShellNew.7z" -o"C:\Windows"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\Addins\OTKLOADR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\Addins\OTKLOADR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\ACCWIZ.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\ACCWIZ.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\IEAWSDC.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\IEAWSDC.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSOEURO.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSOEURO.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSOHEV.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSOHEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSOHEVI.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSOHEVI.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSRTEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSRTEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\REFEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\REFEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\OSF.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\OSF.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\NAME.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\NAME.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\CHART.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\CHART.DLL"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSADDNDR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSADDNDR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Windows\sysWOW64\FM20.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\sysWOW64\FM20.DLL"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"C:\\" -t:"C:\\"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"D:\\office2016" -t:"C:\\Users\\Admin\\AppData\\Local\\Temp\\Office 2016 四合一精简版"
C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\test.dat"
C:\Windows\regedit.exe
regedit /s "office16\officeu.dat"
C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Word 2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\WINWORD.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")
C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Excel 2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\EXCEL.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")
C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\PowerPnt2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\POWERPNT.EXE"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")
Network
Files
memory/1672-3-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1672-4-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unist.dat
| MD5 | 48f78af51d6f4fee2d793112a57d9453 |
| SHA1 | 21a400a14c49267be99173b3fcb4b5ea2e7cae9d |
| SHA256 | e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33 |
| SHA512 | 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123 |
C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll
| MD5 | 694d2a073077aede544ab02f9b6d583e |
| SHA1 | 02d08fe89186ffdc9b8a6b70c481729243c22d06 |
| SHA256 | 171ac7a1cb48bd459d4b59a141026f5ec84d0b3705a265e0bac6015d320cd1ae |
| SHA512 | 3313889db184961d0b452968fb413b57a3b6b6f0175889a4f19569e32e69f7c470378234ba980e62350cda67e392f9040b2b5da8cece8e6b628ab6db406bc906 |
C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll
| MD5 | 8123371105dbb370ea3b90e5f5e7ad0c |
| SHA1 | 1ef4e8fc494237e50995592cb4e00becd0bbf982 |
| SHA256 | 0a89f5f1fd9143d4822d349102d33b37cb9f8f42f17c1ea37ac047d70dcd9a95 |
| SHA512 | 50196fb9da3a095436521393b8924859125d978bbf6e0e9af83b4e59a474398e97f09c08a3c5ca4310718677cde84e805a4acc7956b9c5eb8b14c39166579754 |
C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll
| MD5 | 79a3facb00d5f2250388f2093105677c |
| SHA1 | da9645d3e9aa9cebe4696b6977e591a8d5dbfffc |
| SHA256 | 4b380d82641d85b539a0b53a6ac0c187de6102e1cfcbb951448565381cfb12be |
| SHA512 | 53256ba080e37030eef29d16c964bfad4540378a672a8b2f164ce40add8fca409c554b4c14cfeaa083e59b2b66157a8e648315ad7f67c95562df59e5988b88f2 |
C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll
| MD5 | 704ac2c8e2f085154553c20617c63d71 |
| SHA1 | d41d2ec9a81df135c98b1f1feb9a10976d2c719e |
| SHA256 | fc69f45102cbd0897c15a9e80888232733800f73f1bb2cc49ba4e34dd896d446 |
| SHA512 | 9276952b09fca7a2031e80f80263414e16eac8df88da037909315761399d52c260a9b8444a08bac04df6d841a0471a7c38ed5c2634c6c3007de607303572c2c1 |
memory/2496-254-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2496-255-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2564-256-0x0000000000400000-0x000000000048F000-memory.dmp
memory/2564-257-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.dat
| MD5 | 0e6ddffe4e0a7f54a68acc67c05bb959 |
| SHA1 | f0fab9434c836e60bc3d49ac34f883dd746c05e4 |
| SHA256 | 8740f131d786441bf8b43c963d8139fa57d32ffeea3241051ffa721e9521ee6d |
| SHA512 | 7e716e8c35a8f999c98586651db730b627ab87cc997447ad6bf681b6e7ededce94eaec04f7336b0598c41a97829ef2e639c75dd84d3b854926fff91379e11180 |
C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF
| MD5 | e269de5f63fcdedca11755947615f1fb |
| SHA1 | f36d544ffaf7cb5112b502dab224087e9b323e38 |
| SHA256 | 6c469962f33b7222f07b8d1ae8025f177f4a5f5db3eb62fa1523f261a270991f |
| SHA512 | 47cdc49bec88b384d27335e3192eeaa38cbd0c7c5770bcda15382311dcc7eb74d73785b0a0159bc8e5953225ebb84698b793b42737d879c892504c8d962633dd |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE\DisableExceptionChainValidation = "0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Windows\regedit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\mshta.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ThreadingModel = "Both" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ThreadingModel = "Both" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 | C:\Windows\regedit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-xstate-l2-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-file-l1-2-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-synch-l1-2-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\VEN2232.OLB | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-stdio-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-private-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-eventing-provider-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-file-l2-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-file-l2-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-eventing-provider-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-convert-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-process-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\VEN2232.OLB | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-time-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-utility-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\FM20CHS.DLL | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-localization-l1-2-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\FM20.DLL | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-heap-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-string-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-file-l1-2-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-environment-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-math-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-core-processthreads-l1-1-1.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-core-xstate-l2-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\api-ms-win-crt-conio-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-runtime-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\sysWOW64\api-ms-win-crt-locale-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\FM20.DLL | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Windows\sysWOW64\FM20CHS.DLL | C:\Windows\System32\cmd.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ALRTINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\RICHED20.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSORES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIWIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOIDRES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\PortalConnectCore.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEXBE.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\zh-cn | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEWDAT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052\PortalConnect.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\xlsrvintl.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033\MSOINTL30.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO20WIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_PDF.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO20WIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Filters | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEOLEDB.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOIDRES.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACECORE.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEDAO.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.CNT | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\eqnedt32.exe.manifest | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEEXCL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEWSS.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\RICHED20.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures\Office.odf | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEERR.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODEXL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEOLEDB.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052\PortalConnect.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\odffilt.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\oregres.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033\MSOINTL30.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIWIN32CLIENT.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\msointl30.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_XPS.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\WWINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\2052\EEINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEWSTR.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\WWINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODBC.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EEINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBE7INTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBEUIINTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\VBAJET32.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\2052 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.office.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\SHELLNEW\EXCEL.XLS | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\stdole | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c\Policy.14.0.office.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.office.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35 | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\MSDATASRC | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.office | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\SHELLNEW\ACCESS.MDB | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.Office.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.config | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\ADODB\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\mscomctl | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Extensibility | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\Microsoft.StdFormat | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
| File opened for modification | C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\DEFAULT HTML EDITOR\SHELL\EDIT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}\AlternateCLSID = "{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F}\Compatibility Flags = "1024" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\AlternateCLSID = "{00024522-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\Compatibility Flags = "1024" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\DEFAULT MHTML EDITOR\SHELL\EDIT | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\HTML Handler\Icon\.mhtml = ".docmhtml" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-powerpoint.slide.macroEnabled.12\Extension = ".sldm" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\TypeLib\ = "{0D452EE1-E08F-101A-852E-02608C4D0BB4}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\Print\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\SupportedTypes\.txt | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\protocol\StdFileEditing\Verb\0\ = "@%CommonProgramFiles%\\Microsoft Shared\\Office16\\oregres.dll,-1" | C:\Windows\regedit.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{4737A56B-CF15-4A04-A6F0-9A9644B32D70},atpvbaen.xlam = 7a006e003d00420056004a002e007d0058002500210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045007800630065006c0041006400640069006e00410054005000460069006c006500730000000000 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\Conversion\Readable\Main | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76FD94BA-8FF3-40B4-9C56-D7421DBFD10D} | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44FEE887-6600-41AB-95A5-DE33C605116C}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\shell\OpenAsReadOnly\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Workspace\shell\New | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53FACA33-DB22-473F-BB51-96C2C86C9304}\TypeLib | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860}\ = "Floor" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F7FC18E-292B-11D2-A795-DFAA798E9148}\MiscStatus\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\ViewProtected | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\Version\ = "2.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Access.Dao, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020996-0000-0000-C000-000000000046}\TypeLib\Version = "8.7" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\ = "Slides" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{914934EE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\shell\Printto\command | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\New\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\Version\ = "2.0" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020945-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000209B3-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8252C5E-EB9F-4D74-AA72-C178B128FAC4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\shell\New\ddeexec\ = "[new(\"%1\")]" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F7FC18D-292B-11D2-A795-DFAA798E9148}\TypeLib\ = "{2F7FC181-292B-11D2-A795-DFAA798E9148}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Forms.HTML:TextArea.1\CLSID\ = "{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\Open\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mde\Content Type = "application/msaccess" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wiz\ = "Word.Wizard.8" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\Implemented Categories | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209C7-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0389-0000-0000-C000-000000000046}\TypeLib\Version = "2.8" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E3F602F-BA36-4865-B3CD-F2EB008F62DE}\TypeLib\Version = "9.0" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.ShowMacroEnabled.12 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\Printto\command | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\Verb\1\LocalizedString = "@%CommonProgramFiles%\\Microsoft Shared\\Office16\\oregres.dll,-3" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\InprocHandler32\ = "ole32.dll" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020911-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63FA9988-3004-4449-A54B-A6376492BF4A}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MSGraph.Application\CurVer | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Application.16\CLSID\ = "{000209FF-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document\ = "Microsoft Word Document" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020953-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002097D-0000-0000-C000-000000000046}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1532-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B06E95A-E47C-11CD-8701-00AA003F0F07}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E962-E47C-11CD-8701-00AA003F0F07}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\Protocol\StdFileEditing\Verb\1 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9212BA73-3E79-11D1-98BD-006008197D41}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{656BBED7-E82D-4B0A-8F97-EC742BA11FFA}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493492-5A91-11CF-8700-00AA0060263B} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C171B-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{787A2D6B-EF66-488D-A303-513C9C75C344}\Version\ = "2.0" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\ProgID\ = "PowerPoint.Show.12" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E974-E47C-11CD-8701-00AA003F0F07} | C:\Windows\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd"
C:\Windows\system32\mode.com
mode con: cols=80 lines=22
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "5."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.2."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.3."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.4."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "10."
C:\Windows\system32\mshta.exe
mshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd""","::",,"runas",1)(window.close)
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd" ::
C:\Windows\system32\mode.com
mode con: cols=80 lines=22
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "5."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.2."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.3."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.4."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "10."
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""
C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"
C:\Windows\regedit.exe
regedit /s ospp\unist.dat
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" e -y "ospp\QuickToobar.7z" -o"C:\Users\Admin\AppData\Local\Microsoft\Office"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\net.7z" -o"C:\Program Files (x86)\Microsoft.NET"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\netGAC.7z" -o"C:\Windows\assembly"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\MShared.7z" -o"C:\Program Files (x86)\Common Files\Microsoft Shared"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\ShellNew.7z" -o"C:\Windows"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\Addins\OTKLOADR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\Addins\OTKLOADR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\ACCWIZ.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\ACCWIZ.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\IEAWSDC.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\IEAWSDC.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSOEURO.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSOEURO.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSOHEV.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSOHEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSOHEVI.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSOHEVI.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSRTEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSRTEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\REFEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\REFEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\OSF.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\OSF.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\NAME.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\NAME.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\CHART.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\CHART.DLL"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "Office16\MSADDNDR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/s "Office16\MSADDNDR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /s "C:\Windows\sysWOW64\FM20.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Windows\sysWOW64\FM20.DLL"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"C:\\" -t:"C:\\"
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"D:\\office2016" -t:"C:\\Users\\Admin\\AppData\\Local\\Temp\\Office 2016 四合一精简版"
C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\test.dat"
C:\Windows\regedit.exe
regedit /s "office16\officeu.dat"
C:\Windows\system32\mshta.exe
mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Word 2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\WINWORD.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 8.40.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3968-4-0x0000000000400000-0x000000000048F000-memory.dmp
memory/3968-5-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unist.dat
| MD5 | 48f78af51d6f4fee2d793112a57d9453 |
| SHA1 | 21a400a14c49267be99173b3fcb4b5ea2e7cae9d |
| SHA256 | e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33 |
| SHA512 | 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123 |
C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll
| MD5 | 694d2a073077aede544ab02f9b6d583e |
| SHA1 | 02d08fe89186ffdc9b8a6b70c481729243c22d06 |
| SHA256 | 171ac7a1cb48bd459d4b59a141026f5ec84d0b3705a265e0bac6015d320cd1ae |
| SHA512 | 3313889db184961d0b452968fb413b57a3b6b6f0175889a4f19569e32e69f7c470378234ba980e62350cda67e392f9040b2b5da8cece8e6b628ab6db406bc906 |
C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll
| MD5 | 8123371105dbb370ea3b90e5f5e7ad0c |
| SHA1 | 1ef4e8fc494237e50995592cb4e00becd0bbf982 |
| SHA256 | 0a89f5f1fd9143d4822d349102d33b37cb9f8f42f17c1ea37ac047d70dcd9a95 |
| SHA512 | 50196fb9da3a095436521393b8924859125d978bbf6e0e9af83b4e59a474398e97f09c08a3c5ca4310718677cde84e805a4acc7956b9c5eb8b14c39166579754 |
C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll
| MD5 | 79a3facb00d5f2250388f2093105677c |
| SHA1 | da9645d3e9aa9cebe4696b6977e591a8d5dbfffc |
| SHA256 | 4b380d82641d85b539a0b53a6ac0c187de6102e1cfcbb951448565381cfb12be |
| SHA512 | 53256ba080e37030eef29d16c964bfad4540378a672a8b2f164ce40add8fca409c554b4c14cfeaa083e59b2b66157a8e648315ad7f67c95562df59e5988b88f2 |
C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll
| MD5 | 704ac2c8e2f085154553c20617c63d71 |
| SHA1 | d41d2ec9a81df135c98b1f1feb9a10976d2c719e |
| SHA256 | fc69f45102cbd0897c15a9e80888232733800f73f1bb2cc49ba4e34dd896d446 |
| SHA512 | 9276952b09fca7a2031e80f80263414e16eac8df88da037909315761399d52c260a9b8444a08bac04df6d841a0471a7c38ed5c2634c6c3007de607303572c2c1 |
C:\Windows\sysWOW64\FM20.DLL
| MD5 | 81cb73ff04ae1643ecb1fe08de6eebd2 |
| SHA1 | 6b8dfc4f276da404f830e1f41af2c8cc044d400f |
| SHA256 | 8380e73a0eacf24fac2ff9682fb9717675dbaf26a972e0de5e71b46bce941c85 |
| SHA512 | 431a717d48e24d9f78be7f751d36d6590164c82c7e04cace84bb845c30dee5d4842b38043363c93d657f31dd0802f45170cc77a4166752ce05c573a8cd84256a |
memory/4124-308-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1028-309-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.dat
| MD5 | 0e6ddffe4e0a7f54a68acc67c05bb959 |
| SHA1 | f0fab9434c836e60bc3d49ac34f883dd746c05e4 |
| SHA256 | 8740f131d786441bf8b43c963d8139fa57d32ffeea3241051ffa721e9521ee6d |
| SHA512 | 7e716e8c35a8f999c98586651db730b627ab87cc997447ad6bf681b6e7ededce94eaec04f7336b0598c41a97829ef2e639c75dd84d3b854926fff91379e11180 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win7-20231129-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Grants admin privileges
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\regedit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\system32\rundll32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\system32\rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\runonce.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E705280-92D1-43CC-A57B-ED48BCCC711D}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0353-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1711-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99755F80-FE96-4F7D-B636-B8E800E54F44}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template\shell\Edit\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F7FC18E-292B-11D2-A795-DFAA798E9148}\Control | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\Conversion | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-word.document.12 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\HTML Handler\Icon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats\GetSet\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03F1-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91807402-6C6F-47CD-B8FA-C42FEE8EE924}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020980-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E1-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493460-5A91-11CF-8700-00AA0060263B} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template\shell\OpenAsReadOnly\ddeexec\topic | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-word.template.12 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020970-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0322-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF076FDE-8781-4051-A5BC-99F6B7DC04D4}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.8\Shell\ViewProtected\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\DataFormats | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\InprocHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\AuxUserType\3 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000CDB05-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\shell\Show | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\ViewProtected | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0411-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0388-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Print\ddeexec | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209DD-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209F6-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002094A-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209A2-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0369-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\shell\New\ddeexec\topic | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Edit | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\OpenAsReadOnly\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149349D-5A91-11CF-8700-00AA0060263B} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934EE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A52-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\protocol\StdFileEditing\Verb\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-powerpoint.slideshow.macroEnabled.12 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E996-E47C-11CD-8701-00AA003F0F07} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\protocol\StdFileEditing\Verb | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020999-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03BD-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.TemplateMacroEnabled.12\shell\Print | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0320-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\DataFormats\GetSet\4 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E974-E47C-11CD-8701-00AA003F0F07} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4442A83-F623-459C-8E95-8BFB44DCF23A}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020833-0000-0000-C000-000000000046}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E9-0000-0000-C000-000000000046}\ProxyStubClsid | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.xlt | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\Verb\0 | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\PersistentHandler | C:\Windows\regedit.exe | N/A |
Runs net.exe
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\-)卸载.cmd"
C:\Windows\regedit.exe
regedit /s ospp\unist.dat
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""
C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\Addins\OTKLOADR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\Addins\OTKLOADR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\ACCWIZ.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\ACCWIZ.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\CHART.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\CHART.DLL"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\IEAWSDC.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\IEAWSDC.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSOEURO.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSOEURO.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSOHEV.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSOHEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSOHEVI.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSOHEVI.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSRTEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSRTEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\REFEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\REFEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\NAME.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\NAME.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\OSF.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\OSF.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSADDNDR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSADDNDR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Windows\sysWOW64\FM20.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "C:\Windows\sysWOW64\FM20.DLL"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"
C:\Windows\system32\reg.exe
Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\re.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\net.exe
net stop osppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop osppsvc
C:\Windows\system32\sc.exe
sc delete osppsvc
C:\Windows\system32\net.exe
net localgroup administrators "Network Service" /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators "Network Service" /del
C:\Windows\system32\regsvr32.exe
regsvr32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.dll"
C:\Windows\system32\takeown.exe
takeown /f "C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat" /grant administrators:F /t
Network
Files
memory/1908-2-0x0000000000400000-0x000000000048F000-memory.dmp
memory/1908-3-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unist.dat
| MD5 | 48f78af51d6f4fee2d793112a57d9453 |
| SHA1 | 21a400a14c49267be99173b3fcb4b5ea2e7cae9d |
| SHA256 | e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33 |
| SHA512 | 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123 |
C:\Users\Admin\AppData\Local\Temp\re.inf
| MD5 | e4fc9b9ff7402bffbdd8730140b34c14 |
| SHA1 | 7d0470929299adf0848c1d3638c9f21aa5b7eaa9 |
| SHA256 | 86d663270650deebd9dc2acbdd9d996a3dd1eb952c1c1d921cdcbdc7d317f27a |
| SHA512 | 7a68e2cbe2c2bdc188eda84489427316b4017302639e685bfc03417aa4d14836789bf6848815df6782e8e40b9dace9af502f42095d356b45312fdbd7cfbd8e45 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
132s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32 | C:\Windows\regedit.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" | C:\Windows\system32\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll | C:\Windows\system32\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\runonce.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} | C:\Windows\regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\Conversion\Readable\Main | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031C-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1709-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1731-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Edit\ddeexec | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0322-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C3-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD100-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\Open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\OpenAsReadOnly\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C172B-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\Protocol\StdFileEditing\RequestDataFormats | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C037C-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet\CurVer | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.TemplateMacroEnabled\shell\Print\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.TemplateMacroEnabled\shell\Printto\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.12\shell\Edit | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ShellEx | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.potx\ShellEx\PropertyHandler | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DataFormats\GetSet\1 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0308-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C4-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB0F-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\PersistentHandler | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\PersistentHandler\ = "{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}" | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.OpenDocumentText.12\shell\OnenotePrintto\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\VersionIndependentProgID | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\VersionIndependentProgID | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\ProgID | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\Implemented Categories | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031E-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C036D-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\shell\OpenAsReadOnly\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\Verb\0 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C4-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03D7-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.UriLink.16 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031D-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\shell\Open | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\DocObject | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\Protocol\StdFileEditing\Verb\1 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\shell\New | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\AuxUserType | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\InprocServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\Conversion\Readable | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\ShellEx | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Print\ddeexec | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\DataFormats\GetSet\3 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031C-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\shell\New\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.12\shell\ViewProtected | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\DataFormats | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\DefaultIcon | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03A0-0000-0000-C000-000000000046}\TypeLib | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\shell\Open\command | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Edit\ddeexec | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0913-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03A6-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1730-0000-0000-C000-000000000046} | C:\Windows\regedit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\DataFormats\DefaultFile | C:\Windows\regedit.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\-)卸载.cmd"
C:\Windows\regedit.exe
regedit /s ospp\unist.dat
C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""
C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\Addins\OTKLOADR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\Addins\OTKLOADR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\ACCWIZ.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\ACCWIZ.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\CHART.DLL"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\CHART.DLL"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\IEAWSDC.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\IEAWSDC.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSOEURO.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSOEURO.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSOHEV.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSOHEV.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSOHEVI.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSOHEVI.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSRTEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSRTEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\REFEDIT.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\REFEDIT.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\NAME.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\NAME.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\OSF.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\OSF.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "Office16\MSADDNDR.dll"
C:\Windows\SysWOW64\regsvr32.exe
/u /s "Office16\MSADDNDR.dll"
C:\Windows\system32\regsvr32.exe
REGSVR32 /u /s "C:\Windows\sysWOW64\FM20.DLL"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"
C:\Windows\system32\reg.exe
Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\re.inf
C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.0."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
C:\Windows\system32\find.exe
find "6.1."
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4944-2-0x0000000000400000-0x000000000048F000-memory.dmp
memory/4944-3-0x0000000000400000-0x000000000048F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\unist.dat
| MD5 | 48f78af51d6f4fee2d793112a57d9453 |
| SHA1 | 21a400a14c49267be99173b3fcb4b5ea2e7cae9d |
| SHA256 | e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33 |
| SHA512 | 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123 |
C:\Users\Admin\AppData\Local\Temp\re.inf
| MD5 | e4fc9b9ff7402bffbdd8730140b34c14 |
| SHA1 | 7d0470929299adf0848c1d3638c9f21aa5b7eaa9 |
| SHA256 | 86d663270650deebd9dc2acbdd9d996a3dd1eb952c1c1d921cdcbdc7d317f27a |
| SHA512 | 7a68e2cbe2c2bdc188eda84489427316b4017302639e685bfc03417aa4d14836789bf6848815df6782e8e40b9dace9af502f42095d356b45312fdbd7cfbd8e45 |
memory/1016-10-0x000001785DA40000-0x000001785DA50000-memory.dmp
memory/1016-26-0x000001785DB40000-0x000001785DB50000-memory.dmp
memory/1016-42-0x0000017865FA0000-0x0000017865FA1000-memory.dmp
memory/1016-43-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-44-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-45-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-46-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-47-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-48-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-49-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-50-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-51-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-52-0x0000017865FD0000-0x0000017865FD1000-memory.dmp
memory/1016-53-0x0000017865D00000-0x0000017865D01000-memory.dmp
memory/1016-54-0x0000017865CF0000-0x0000017865CF1000-memory.dmp
memory/1016-56-0x0000017865D00000-0x0000017865D01000-memory.dmp
memory/1016-59-0x0000017865CF0000-0x0000017865CF1000-memory.dmp
memory/1016-62-0x000001785D3E0000-0x000001785D3E1000-memory.dmp
memory/1016-76-0x0000017865E30000-0x0000017865E31000-memory.dmp
memory/1016-74-0x0000017865E20000-0x0000017865E21000-memory.dmp
memory/1016-77-0x0000017865E30000-0x0000017865E31000-memory.dmp
memory/1016-78-0x0000017865F40000-0x0000017865F41000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win7-20240215-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\OfficeKMS.bat"
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:cy2617.jios.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:k.zpale.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.03k.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.chinancce.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.digiboy.ir
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.lotro.cc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms-win.msdn123.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:m.zpale.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:mvg.zpale.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:www.beishe.cc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:xykz.f3322.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:www.zgbs.cc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.dwhd.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.imazes.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:122.226.152.230
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:115.159.2.184
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:119.28.13.193
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:3rss.vicp.net:20439
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:54.223.212.31
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:cy2617.6655.la
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.aliyun-inc.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.shuax.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:ss.yechiu.xin
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:18
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
173s
Command Line
Signatures
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\OfficeKMS.bat"
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:cy2617.jios.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:k.zpale.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.03k.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.chinancce.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.digiboy.ir
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.lotro.cc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms-win.msdn123.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:m.zpale.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:mvg.zpale.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:www.beishe.cc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:xykz.f3322.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:www.zgbs.cc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.dwhd.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.imazes.org
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:122.226.152.230
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:115.159.2.184
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:119.28.13.193
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:3rss.vicp.net:20439
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:54.223.212.31
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:cy2617.6655.la
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.aliyun-inc.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:kms.shuax.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Windows\system32\cscript.exe
cscript //Nologo ospp.vbs /sethst:ss.yechiu.xin
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"
C:\Windows\system32\find.exe
find /i "successful"
C:\Windows\system32\cscript.exe
cscript //nologo ospp.vbs /act
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2824 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.225.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win7-20240220-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000bc45ac17d78a49603d2b010cb06f3b7396eb644575a4881b560ac5335746e8f4000000000e8000000002000020000000f3b06b1ad1fa95886356c5250b133efeaffba48c29970f16b9940d7b9ed3e62020000000db7a3ebfe78fc91e77301d30e68dc2130dd799c4a81cc06511d290a9ec6aa68340000000de10c7037771245622663b812e53386d6aef6c3c20ec2b750fbdcf2fe9afe8521495292ac745af66e1695544af570a2f33856c91355c4289ce5ac51436f95fdb | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000041f5ebed023dd37d0be2fab5a4b96550a97ef5ee181b4b06f0ab5dd75e777957000000000e80000000020000200000000bb6c3753833293216bb68059ebb10ce6d732dae690f08c08b873e074155a5d390000000ccd719bb10138056bbc4b39b264071610f996168f080ab176737686c6d5a7726822482955875b3fe5688fb1351f2561dcca327c01e20d5a43b47a4bf915a37f40e889f255c53a092a6284c0e555d72da08061e547efeff76225e5fa1e004076c946001c8696e0ebfc2e7dcb3029fdcf41140e766f55821c1735b6eb6bdd5049590d051c321ebab2c448eaca38cfb849e400000005de7581392e75c4b5d60d269d3ab3c810d4ade22d4a4a45abf72d7f54372ee5e275e272579f6c0cc9d31f64094e389804d61460d13cb6165221f317dada6d6c0 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417275176" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34F6C241-E84E-11EE-852B-6265250A2D3F} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9066ba095b7cda01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\MML2OMML.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5820.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5970.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c450d585dc63bd7281b24bfd37f010a |
| SHA1 | fcc15de10fc5d52b412257c8cc74735251661315 |
| SHA256 | d5b10512b856fcfbd905af36509aa7a43392388fa3c6feb888ed9e342488f655 |
| SHA512 | ccf3d637ec24be17945d20eb59ff9cf4e3f9452eb3b35d2016acded453c4b8dbd810259d73753a8864fb7f72dc4241f45d3f685270b484b13cbd060656aeafed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3c06793fe0f3ae176d70ee919a6552b |
| SHA1 | 2ec3f7952e883f9e8c9c33fcf33ddaf4692c6bfd |
| SHA256 | 7e3e1ae7828dd4f29f75252efc560037ef5657cad15835a92f4f000390b800b3 |
| SHA512 | 677011569d69a91e58566d675c8bdc74939868bfdc9ff5dc4946c027819d73c684318e436136a3374ae274bad6660515cfd08ab175aad146b4be643b7288b3cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40fb6a57d22082af802631ead14d7b5a |
| SHA1 | 6fe588ec0225c1e2535e354f231cc68c43272584 |
| SHA256 | 2706b1e8bee8f3d6623012405c850e6422cf102a2ff82f8fd5303000231a4130 |
| SHA512 | 49caa88f1a88bbb0992d80615d610abd74299059e1e09a163122d651a11d73ce777f753ab4a890b8d2278494feb35cf89005703a872e3d0d9cb8959440f79045 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae4e218bdabbf9947eba7fc3fa918baf |
| SHA1 | a11b32321e15fc12e133836188239c93335da3eb |
| SHA256 | e5bf74fd78c492abdd48bb2e5595e5614cd22d73a037ed2b5b822eb571641755 |
| SHA512 | 99a6d4aa8865affa6d506984231ab4b1762a8edaf51e9a5eee0465825187b7a4f9cafa6fb7757cd05ad237268d185776b9c74abe935bfef1d94309370a641b9a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3b55a3e147b5a684c998c1b35a22a270 |
| SHA1 | 7bdf656776d27b1b53088021a9f57d6643c84f45 |
| SHA256 | deb14618c93b6b3c19f1eaa985572984b31d5ef8c1c2319d7882c5145825bfbf |
| SHA512 | ec776f06287dd7d94be8632025d0c9261c1228736d8677ef88cada0b09fc6b1d4350257b63b6806f8180bedb374c93b8c314dd195c6e70e41d23037a4922a61d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 54b43755209c3914abf081cc6f561ae6 |
| SHA1 | 9da84f71936d089756d9942b0e62bb2e40661f00 |
| SHA256 | e4d735409b233279e159dc7e3940421a6c9a9cc1a269228f552924343d12ab65 |
| SHA512 | 2935a5f31d38757581638b145c9bd2a78b13709812f6e04992d838f0e61833ff6fd6b2fe43c644467ca4c80d9bf6fb02f73d7ff5e6e10c0e336bf1ee4718a1f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3c0254d7af49b361cf8693ff40dbabd2 |
| SHA1 | 7daa920f0d24e1b1f6deb4183b21e4d56a7e7ee7 |
| SHA256 | 0bfde4c594698b28fbe364e67a411ef7e96f6ab94b7a16dffb566a3d34b46431 |
| SHA512 | e5215e9e419955d29744cf49d83b92e69cbb90fc1cd32ceb076bb8df11c1421f2f98014cf8b152673675e4947a888a41e10c748a925a514554cd268ad8bc4166 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e21885155c697aa3414e48c2b4f4b35 |
| SHA1 | ebe30c727f96b1c03f9ceaf3a6767ca91b2d7499 |
| SHA256 | 9b76cc887a853e0230824d9149dc7ea0c59940b3f645361fe51ad6f0acb1f90e |
| SHA512 | 8e8290901a4d243fa6ea3a4374a115b350617309ce727caf8b7c39a3e7f4c0b764dd6b29770ff28198a27801de970ab5f32b4ae32c13c29226196b8572f92fd0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95b40f5563cf93fd75948c05599b66e7 |
| SHA1 | a1d9ca12095cf0dc858e23ca7711d3f3b8228d4f |
| SHA256 | ea2be1c87032d3a4f5185430dd7be069e803f1c7d12a60f7cfba8396e497d015 |
| SHA512 | 79baa10ffd723e00a283c52bddc03295c81f8deeff4d843f2843310e970387d7be444cf49ed527cc83a309b49c4fc834c597fc0e126994e1e8eceb541a94e628 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c9f427c2584549ed560832ae6a5bbc7 |
| SHA1 | 45eeb2d4d77093124e57fc95f54e6eb6418cb91c |
| SHA256 | 99ca5a369471add57797b1ca7be13f14044ed4aad226b001c97ccd917b7df653 |
| SHA512 | b3e1fd720f5d28289d8b7be001a052ff45c86f68081992c33c15717238c3e6b8119ac99e21fd015ec1114bd026b4574a1ee2507997fa50df00d35a32dda1c8be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1638e9471662a87af273fcf71951cb0b |
| SHA1 | 90c9e605459a57716baedc062e3ca9b2d0e81eda |
| SHA256 | a2ed46833a864cc5b6b151d60723a9a03ba5ddfe210056dd81127b7c93c8b060 |
| SHA512 | 0b4052b580e657abb66c3784c4d10dc4a106c1467dcef5f6e13ce79527f62e7d7c63fed51a306f71b49b065632fbb5687c9cbfd0e9678c94c35b9363cb4b02c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a32f00f0b27bb9769e5308d99bf30ff3 |
| SHA1 | c77327da6ad73fb687ae6e663065de72f62997d4 |
| SHA256 | 1834ab708a4e933feacfdcedbf3ce796cc0dd7ec30fcdb4f0768e5c919f462c2 |
| SHA512 | dc95afad3f270817d8dc61bbb3c2f9d7a72fe0131c8b70e1e33b0c5c6a05e403041ac8c0f025f9d05fc8e9ceba4032ee2d6dc2c2b6e5f404123041a981ff884b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f79a1c10ef9c9ed9ed2d019874a5b774 |
| SHA1 | 32296440d163bf6ff188883aa17b8767751818d2 |
| SHA256 | b1c869aab708c44ca63c2b61d26de151b7156ab986a5d20637dcc95f791c2062 |
| SHA512 | 45b7a3650833c1f1557f5b83897ea8d102a5a1a52eb6823ffb33040f4dbbadd06834eb0e93cc9001de42dd2c84dfbd5588b9943f2970b430ec15a1a206d2549d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4fc795825c8cd810d21984be94b2f5b |
| SHA1 | 62e647cd6a9afa012a7de325dc008ce6bcd20896 |
| SHA256 | 32bba2562b2b070335c512be46e210285385dbd38dc89672e4eee17109050196 |
| SHA512 | 1bf934154c7b31f5dd9fed9126264115b6d99e98408010d0552a833d8a4b7f037f79ba134e49e5ff7c8b634ea961a136f86833c201569cc095f697078811c4d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 519c7bcf0732a5b2f37d203745b805ff |
| SHA1 | f6bf349b635b8cba9fb4c168a39ca7ffcdfbd7eb |
| SHA256 | b0663cb27ed570d87924efb471c7d1074837c68433422b6848b5811d109b61f7 |
| SHA512 | 79b22bdaf0a92348b41b1f5c77524403cdfa7c976b58f7194e9ed2ea0ea4c1f4189e5705b99536c9a82bd5ed18b3c905fb5b4b884b6d0548fa561285cec3bd40 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 409ca41ef6cbe0557901132ab223928a |
| SHA1 | f348d759895d96809abfdae4c8ee043ba0ffda14 |
| SHA256 | b024dfef4b3c464aed2f7d59e3bad88675b6904fcd62df275831edebd8fa1a36 |
| SHA512 | 2e267494289f49bb98fbcb757a57572a35a49e902600771b497b4f0edf5bee1cd5bfbee1958d638b3b8057ebf3a47be45da6eda3886dc045f91241650574beb2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7696abea84b28b626826b2bba8c6e6df |
| SHA1 | f2a3a05d01070c214f02e561687c9d5ca359eeaf |
| SHA256 | aa6d15d292be2ae19a9d4311bbb2ab19621f4d67dd24038d142d203766b92c41 |
| SHA512 | b252745df295e6a5559308c645fc219e54278c5d675c9e7eb02c39557c5c6fe21cc7cb162fd2f8e647cb26c8aca03850aad99fc1c5d143281c2e909fca874c61 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8de0172b8f0f0ff257ac5a1e9c38770 |
| SHA1 | 9b967f7fce8abe1258ce26e46cd0be644da337bf |
| SHA256 | 46608b77d20be56428d2ee668e750a5121c4306c9ff5a0e8f2bbc4f773cd7464 |
| SHA512 | 2bea33df2042b851c2bd02d78be2331834e8e425e321214891947a31e8de4997e778eec1b542ca040c72897917df69539c5e788557b277831be8eb0a02be8307 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92ad2d5bfe7d83c862de8f796282e718 |
| SHA1 | 0919808c8175f92a898c37bd235dde75a5e37c2e |
| SHA256 | cd6b72448f3ff9a3e16524981ea62cec6976d83d37f074338db17aedb09f8e7d |
| SHA512 | f807c8e224d2407598f523ffe994bece0b9e5fa0f26628479dd2642ed17d7eea76a03114f3bdf532bbd82647e452fd062e83d217ef546929adbeadb76f2a7ffe |
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\MML2OMML.xml"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/2504-0-0x00007FFED07D0000-0x00007FFED07E0000-memory.dmp
memory/2504-1-0x00007FFF10750000-0x00007FFF10945000-memory.dmp
memory/2504-2-0x00007FFF10750000-0x00007FFF10945000-memory.dmp
memory/2504-3-0x00007FFF10750000-0x00007FFF10945000-memory.dmp
memory/2504-4-0x00007FFF0E1E0000-0x00007FFF0E4A9000-memory.dmp
memory/2504-5-0x00007FFED07D0000-0x00007FFED07E0000-memory.dmp
memory/2504-6-0x00007FFF10750000-0x00007FFF10945000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:18
Platform
win7-20240221-en
Max time kernel
121s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\更多好玩的了解一下.png"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-22 13:10
Reported
2024-03-22 13:17
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\更多好玩的了解一下.png"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.40.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |