Malware Analysis Report

2024-11-16 12:27

Sample ID 240322-qenw8seb5t
Target Officesample.zip
SHA256 1c42f2f3c5c890651be771c2d7a9e98818f76c4f5373f1568b959ea4be0ecd91
Tags
macro upx persistence discovery evasion exploit
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1c42f2f3c5c890651be771c2d7a9e98818f76c4f5373f1568b959ea4be0ecd91

Threat Level: Likely malicious

The file Officesample.zip was found to be: Likely malicious.

Malicious Activity Summary

macro upx persistence discovery evasion exploit

Grants admin privileges

Sets file execution options in registry

Possible privilege escalation attempt

Suspicious Office macro

Stops running service(s)

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Registers COM server for autorun

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SetWindowsHookEx

Modifies registry class

Runs regedit.exe

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-22 13:12

Signatures

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win7-20240215-en

Max time kernel

121s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Windows\regedit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ThreadingModel = "Both" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ThreadingModel = "Both" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ThreadingModel = "Both" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 C:\Windows\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\sysWOW64\FM20CHS.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\FM20CHS.DLL C:\Windows\System32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures\Office.odf C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSPTLS.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\WWINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ALRTINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO99LWIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033\MSOINTL30.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEODBCI.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEEXCH.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODEXL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUIRES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEDAO.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIWIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.CNT C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\2052\EEINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIRES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\xlsrvintl.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEERR.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEWDAT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBEUIINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEXBE.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEWSTR.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODTXT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXPSRV.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\eqnedt32.exe.manifest C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures\Office.odf C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\msgfilt.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\VBAJET32.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEDAO.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\zh-cn C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEWSTR.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOIDRES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\PortalConnectCore.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBEUIINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\MTEXTRA.TTF C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\odffilt.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\msointl30.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEOLEDB.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_PDF.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBE7INTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EEINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODDBS.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO30WIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODEXL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_XPS.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052\PortalConnect.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEEXCL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.Office.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c\Policy.14.0.office.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Extensibility C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\mscomctl C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\SHELLNEW C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\office\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.office C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\SHELLNEW\EXCEL.XLS C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSDATASRC C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.office.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}\AlternateCLSID = "{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\AlternateCLSID = "{00024522-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F}\Compatibility Flags = "1024" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\Compatibility Flags = "1024" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\mshta.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.8\shell\OnenotePrintto C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\protocol\StdFileEditing C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\protocol\StdFileEditing\SetDataFormats C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.OpenDocumentText.12\protocol\StdFileEditing\RequestDataFormats\ = "NoteshNote,NotesDocAction" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020914-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0341-0000-0000-C000-000000000046}\ = "Script" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsm\PerceivedType = "document" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats\GetSet\2\ = "1,1,1,3" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7E2AB674-BB21-4CC2-ADE5-092DA15B51FF}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FM20.DLL" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\Version C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020941-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1715-0000-0000-C000-000000000046}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B0E334D-B734-458A-A041-B528D031D4E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\shell\Print\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xll\ = "Excel.XLL" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149346B-5A91-11CF-8700-00AA0060263B}\ = "SlideRange" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.12\shell\OpenAsReadOnly\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6FFA84BB-A350-4442-BB53-A43653459A84}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}\TypeLib\ = "{AC2DE821-36A2-11CF-8053-00AA006009FA}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\Verb\0\ = "&Edit,0,2" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A6A-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Windows\\SysWOW64\\msohtmed.exe\" /p %1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Application.16\CLSID C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020803-0000-0000-C000-000000000046}\Verb\1\ = "&Open,0,2" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template\CurVer\ = "Word.Template.12" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209B9-0000-0000-C000-000000000046}\ = "_Global" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Edit\ddeexec C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149346C-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A5E-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DBC51762-A8ED-11D3-A0DD-00C04F68712B}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5970C574-EB8C-11CD-8701-00AA003F0F07}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DataFormats\DefaultFile C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020910-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D1523700-6128-101B-AF4E-00AA003F0F07}\TypeLib C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002093C-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03C4-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493474-5A91-11CF-8700-00AA0060263B}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493468-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ELMFile\DefaultIcon\ = "D:\\office2016\\icons\\misc.exe,6" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-msexcel C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-powerpoint\DefaultIcon\ = "D:\\office2016\\Office16\\POWERPNT.EXE,0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73A4C9C1-D68D-11D0-98BF-00A0C90DC8D9} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\Show C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShow.12\shell\ViewProtected C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\DataFormats\GetSet\1 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020967-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493455-5A91-11CF-8700-00AA0060263B} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2B83A65-B061-4469-83B6-8877437CB8A0}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AFC20920-DA4E-11CE-B943-00AA006887B4}\InprocServer32\ = "C:\\Windows\\sysWOW64\\FM20.DLL" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Access.UriLink.16\DefaultIcon\ = "D:\\office2016\\Office16\\MSACCESS.EXE,0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Access.WizardDataFile.16\shell\Open\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats\GetSet\3\ = "3,1,32,1" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{352840A9-AF7D-4CA4-87FC-21C68FDAB3E4}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E978-E47C-11CD-8701-00AA003F0F07}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0354-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0002E157-0000-0000-C000-000000000046}\5.3\0\win32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020827-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\DataFormats\GetSet\0\ = "3,1,32,1" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03CB-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E954-E47C-11CD-8701-00AA003F0F07}\TypeLib\ = "{4AFFC9A0-5F99-101B-AF4E-00AA003F0F07}" C:\Windows\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 352 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 352 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 352 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 352 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 352 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 352 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 352 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2600 wrote to memory of 2480 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\cmd.exe
PID 2600 wrote to memory of 2480 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\cmd.exe
PID 2600 wrote to memory of 2480 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\mode.com
PID 2480 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\mode.com
PID 2480 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\mode.com
PID 2480 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2480 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2480 wrote to memory of 2360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2480 wrote to memory of 2444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd"

C:\Windows\system32\mode.com

mode con: cols=80 lines=22

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "5."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.0."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.1."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.2."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.3."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.4."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "10."

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd""","::",,"runas",1)(window.close)

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd" ::

C:\Windows\system32\mode.com

mode con: cols=80 lines=22

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "5."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.0."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.1."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.2."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.3."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.4."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "10."

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""

C:\Windows\regedit.exe

regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"

C:\Windows\regedit.exe

regedit /s ospp\unist.dat

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" e -y "ospp\QuickToobar.7z" -o"C:\Users\Admin\AppData\Local\Microsoft\Office"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\net.7z" -o"C:\Program Files (x86)\Microsoft.NET"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\netGAC.7z" -o"C:\Windows\assembly"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\MShared.7z" -o"C:\Program Files (x86)\Common Files\Microsoft Shared"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\ShellNew.7z" -o"C:\Windows"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\Addins\OTKLOADR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\Addins\OTKLOADR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\ACCWIZ.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\ACCWIZ.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\IEAWSDC.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\IEAWSDC.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSOEURO.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSOEURO.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSOHEV.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSOHEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSOHEVI.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSOHEVI.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSRTEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSRTEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\REFEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\REFEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\OSF.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\OSF.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\NAME.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\NAME.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\CHART.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\CHART.DLL"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSADDNDR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSADDNDR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Windows\sysWOW64\FM20.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\sysWOW64\FM20.DLL"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"C:\\" -t:"C:\\"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"D:\\office2016" -t:"C:\\Users\\Admin\\AppData\\Local\\Temp\\Office 2016 四合一精简版"

C:\Windows\regedit.exe

regedit /s "C:\Users\Admin\AppData\Local\Temp\test.dat"

C:\Windows\regedit.exe

regedit /s "office16\officeu.dat"

C:\Windows\system32\mshta.exe

mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Word 2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\WINWORD.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")

C:\Windows\system32\mshta.exe

mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Excel 2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\EXCEL.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")

C:\Windows\system32\mshta.exe

mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\PowerPnt2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\POWERPNT.EXE"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")

Network

N/A

Files

memory/1672-3-0x0000000000400000-0x000000000048F000-memory.dmp

memory/1672-4-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unist.dat

MD5 48f78af51d6f4fee2d793112a57d9453
SHA1 21a400a14c49267be99173b3fcb4b5ea2e7cae9d
SHA256 e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33
SHA512 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123

C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll

MD5 694d2a073077aede544ab02f9b6d583e
SHA1 02d08fe89186ffdc9b8a6b70c481729243c22d06
SHA256 171ac7a1cb48bd459d4b59a141026f5ec84d0b3705a265e0bac6015d320cd1ae
SHA512 3313889db184961d0b452968fb413b57a3b6b6f0175889a4f19569e32e69f7c470378234ba980e62350cda67e392f9040b2b5da8cece8e6b628ab6db406bc906

C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll

MD5 8123371105dbb370ea3b90e5f5e7ad0c
SHA1 1ef4e8fc494237e50995592cb4e00becd0bbf982
SHA256 0a89f5f1fd9143d4822d349102d33b37cb9f8f42f17c1ea37ac047d70dcd9a95
SHA512 50196fb9da3a095436521393b8924859125d978bbf6e0e9af83b4e59a474398e97f09c08a3c5ca4310718677cde84e805a4acc7956b9c5eb8b14c39166579754

C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll

MD5 79a3facb00d5f2250388f2093105677c
SHA1 da9645d3e9aa9cebe4696b6977e591a8d5dbfffc
SHA256 4b380d82641d85b539a0b53a6ac0c187de6102e1cfcbb951448565381cfb12be
SHA512 53256ba080e37030eef29d16c964bfad4540378a672a8b2f164ce40add8fca409c554b4c14cfeaa083e59b2b66157a8e648315ad7f67c95562df59e5988b88f2

C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll

MD5 704ac2c8e2f085154553c20617c63d71
SHA1 d41d2ec9a81df135c98b1f1feb9a10976d2c719e
SHA256 fc69f45102cbd0897c15a9e80888232733800f73f1bb2cc49ba4e34dd896d446
SHA512 9276952b09fca7a2031e80f80263414e16eac8df88da037909315761399d52c260a9b8444a08bac04df6d841a0471a7c38ed5c2634c6c3007de607303572c2c1

memory/2496-254-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2496-255-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2564-256-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2564-257-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.dat

MD5 0e6ddffe4e0a7f54a68acc67c05bb959
SHA1 f0fab9434c836e60bc3d49ac34f883dd746c05e4
SHA256 8740f131d786441bf8b43c963d8139fa57d32ffeea3241051ffa721e9521ee6d
SHA512 7e716e8c35a8f999c98586651db730b627ab87cc997447ad6bf681b6e7ededce94eaec04f7336b0598c41a97829ef2e639c75dd84d3b854926fff91379e11180

C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF

MD5 e269de5f63fcdedca11755947615f1fb
SHA1 f36d544ffaf7cb5112b502dab224087e9b323e38
SHA256 6c469962f33b7222f07b8d1ae8025f177f4a5f5db3eb62fa1523f261a270991f
SHA512 47cdc49bec88b384d27335e3192eeaa38cbd0c7c5770bcda15382311dcc7eb74d73785b0a0159bc8e5953225ebb84698b793b42737d879c892504c8d962633dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

153s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE\DisableExceptionChainValidation = "0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Windows\regedit.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\system32\mshta.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\odffilt.dll" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\msgfilt.dll" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ = "C:\\Program Files\\Common Files\\Microsoft Shared\\Filters\\offfiltx.dll" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32\ThreadingModel = "Both" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32\ThreadingModel = "Both" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32\ThreadingModel = "Both" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office16\\msoshext.dll\"" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 C:\Windows\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-private-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-synch-l1-2-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-xstate-l2-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-file-l1-2-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-synch-l1-2-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-process-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\VEN2232.OLB C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-math-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-time-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-private-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-eventing-provider-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-file-l2-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-file-l2-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-eventing-provider-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-convert-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-process-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-string-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\VEN2232.OLB C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-localization-l1-2-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-time-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-utility-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\FM20CHS.DLL C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-localization-l1-2-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\FM20.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-string-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-file-l1-2-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-environment-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-math-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-core-processthreads-l1-1-1.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-core-xstate-l2-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\sysWOW64\api-ms-win-crt-locale-l1-1-0.dll C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\FM20.DLL C:\Windows\System32\cmd.exe N/A
File created C:\Windows\sysWOW64\FM20CHS.DLL C:\Windows\System32\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ALRTINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\RICHED20.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSORES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIWIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOIDRES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\PortalConnectCore.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEXBE.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\zh-cn C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEWDAT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052\PortalConnect.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\xlsrvintl.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033\MSOINTL30.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO20WIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_PDF.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO20WIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEOLEDB.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOIDRES.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACECORE.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEDAO.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.CNT C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\eqnedt32.exe.manifest C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEEXCL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEWSS.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\RICHED20.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\Cultures\Office.odf C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEERR.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODEXL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEOLEDB.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Portal\2052\PortalConnect.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\odffilt.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\oregres.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\1033\MSOINTL30.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSO40UIWIN32CLIENT.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\msointl30.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\EXP_XPS.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\WWINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\MSOINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\2052\EEINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\ACEWSTR.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\2052\WWINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\ACEODBC.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EEINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBE7INTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\2052\VBEUIINTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\VBAJET32.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Equation\2052 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.office.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\SHELLNEW\EXCEL.XLS C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\stdole C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.office\15.0.0.0__71e9bce111e9429c\Policy.14.0.office.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.office.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35 C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\MSDATASRC C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\stdole.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.office C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Word.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Microsoft.Office.interop.access.dao.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Office.Interop.Access.Dao.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Office.Interop.Access.Dao\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Office.Interop.Access.Dao.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\SHELLNEW\ACCESS.MDB C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.office\15.0.0.0__71e9bce111e9429c\Policy.12.0.Office.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Word\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.config C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\15.0.0.0__71e9bce111e9429c\Policy.11.0.Office.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\ADODB\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_32\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\mscomctl C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.12.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.14.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c\Policy.14.0.Microsoft.Vbe.Interop.dll C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Extensibility C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\Microsoft.StdFormat C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_32\stdole\7.0.3300.0__b03f5f7f11d50a3a C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Vbe.Interop\15.0.0.0__71e9bce111e9429c C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\DEFAULT HTML EDITOR\SHELL\EDIT C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}\AlternateCLSID = "{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F}\Compatibility Flags = "1024" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\AlternateCLSID = "{00024522-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}\Compatibility Flags = "1024" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\DEFAULT MHTML EDITOR\SHELL\EDIT C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\HTML Handler\Icon\.mhtml = ".docmhtml" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-powerpoint.slide.macroEnabled.12\Extension = ".sldm" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}\TypeLib\ = "{0D452EE1-E08F-101A-852E-02608C4D0BB4}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\Print\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\WINWORD.EXE\SupportedTypes\.txt C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\protocol\StdFileEditing\Verb\0\ = "@%CommonProgramFiles%\\Microsoft Shared\\Office16\\oregres.dll,-1" C:\Windows\regedit.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Components\613B99D5CFD7FCB4793B500086BB4113\{4737A56B-CF15-4A04-A6F0-9A9644B32D70},atpvbaen.xlam = 7a006e003d00420056004a002e007d0058002500210021002100210021004d004b004b0053006b00470069006d006d0065005f004f006e00440065006d0061006e00640044006100740061003c0045007800630065006c0041006400640069006e00410054005000460069006c006500730000000000 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xlsx\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\Conversion\Readable\Main C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{76FD94BA-8FF3-40B4-9C56-D7421DBFD10D} C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44FEE887-6600-41AB-95A5-DE33C605116C}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\shell\OpenAsReadOnly\command C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Workspace\shell\New C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{53FACA33-DB22-473F-BB51-96C2C86C9304}\TypeLib C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E64D2BE-2818-48CB-8F8A-CC7B61D9E860}\ = "Floor" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F7FC18E-292B-11D2-A795-DFAA798E9148}\MiscStatus\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\ViewProtected C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\Version\ = "2.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Access.Dao, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020996-0000-0000-C000-000000000046}\TypeLib\Version = "8.7" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{91493469-5A91-11CF-8700-00AA0060263B}\ = "Slides" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{914934EE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\shell\Printto\command C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\New\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\Version\ = "2.0" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020945-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000209B3-0000-0000-C000-000000000046}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8252C5E-EB9F-4D74-AA72-C178B128FAC4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\shell\New\ddeexec\ = "[new(\"%1\")]" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F7FC18D-292B-11D2-A795-DFAA798E9148}\TypeLib\ = "{2F7FC181-292B-11D2-A795-DFAA798E9148}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Forms.HTML:TextArea.1\CLSID\ = "{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\Open\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mde\Content Type = "application/msaccess" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wiz\ = "Word.Wizard.8" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\Implemented Categories C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209C7-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0389-0000-0000-C000-000000000046}\TypeLib\Version = "2.8" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E3F602F-BA36-4865-B3CD-F2EB008F62DE}\TypeLib\Version = "9.0" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.ShowMacroEnabled.12 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\Printto\command C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\Verb\1\LocalizedString = "@%CommonProgramFiles%\\Microsoft Shared\\Office16\\oregres.dll,-3" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\InprocHandler32\ = "ole32.dll" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020911-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63FA9988-3004-4449-A54B-A6376492BF4A}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSGraph.Application\CurVer C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Application.16\CLSID\ = "{000209FF-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document\ = "Microsoft Word Document" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020953-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002097D-0000-0000-C000-000000000046}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1532-0000-0000-C000-000000000046}\TypeLib\ = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B06E95A-E47C-11CD-8701-00AA003F0F07}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E962-E47C-11CD-8701-00AA003F0F07}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\Protocol\StdFileEditing\Verb\1 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A6B-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9212BA73-3E79-11D1-98BD-006008197D41}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{656BBED7-E82D-4B0A-8F97-EC742BA11FFA}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493492-5A91-11CF-8700-00AA0060263B} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C171B-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{787A2D6B-EF66-488D-A303-513C9C75C344}\Version\ = "2.0" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\ProgID\ = "PowerPoint.Show.12" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E974-E47C-11CD-8701-00AA003F0F07} C:\Windows\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2124 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 2124 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 1672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2124 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2124 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 2124 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mshta.exe
PID 3780 wrote to memory of 4796 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\cmd.exe
PID 3780 wrote to memory of 4796 N/A C:\Windows\system32\mshta.exe C:\Windows\System32\cmd.exe
PID 4796 wrote to memory of 4396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\mode.com
PID 4796 wrote to memory of 4396 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\mode.com
PID 4796 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 2172 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 4736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 4736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 4492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 3608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 4088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 4088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 3156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 3156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 4864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 4864 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 4444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 4796 wrote to memory of 4444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd"

C:\Windows\system32\mode.com

mode con: cols=80 lines=22

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "5."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.0."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.1."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.2."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.3."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.4."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "10."

C:\Windows\system32\mshta.exe

mshta vbscript:createobject("shell.application").shellexecute("""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd""","::",,"runas",1)(window.close)

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\!)安装.cmd" ::

C:\Windows\system32\mode.com

mode con: cols=80 lines=22

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "5."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.0."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.1."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.2."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.3."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.4."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "10."

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""

C:\Windows\regedit.exe

regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"

C:\Windows\regedit.exe

regedit /s ospp\unist.dat

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" e -y "ospp\QuickToobar.7z" -o"C:\Users\Admin\AppData\Local\Microsoft\Office"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\net.7z" -o"C:\Program Files (x86)\Microsoft.NET"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\netGAC.7z" -o"C:\Windows\assembly"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\MShared.7z" -o"C:\Program Files (x86)\Common Files\Microsoft Shared"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\7za.exe" x -y "ospp\ShellNew.7z" -o"C:\Windows"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\Addins\OTKLOADR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\Addins\OTKLOADR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\ACCWIZ.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\ACCWIZ.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\IEAWSDC.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\IEAWSDC.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSOEURO.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSOEURO.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSOHEV.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSOHEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSOHEVI.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSOHEVI.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSRTEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSRTEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\REFEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\REFEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\OSF.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\OSF.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\NAME.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\NAME.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\CHART.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\CHART.DLL"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "Office16\MSADDNDR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/s "Office16\MSADDNDR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /s "C:\Windows\sysWOW64\FM20.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/s "C:\Windows\sysWOW64\FM20.DLL"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"C:\\" -t:"C:\\"

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\test.dat" -fic:"D:\\office2016" -t:"C:\\Users\\Admin\\AppData\\Local\\Temp\\Office 2016 四合一精简版"

C:\Windows\regedit.exe

regedit /s "C:\Users\Admin\AppData\Local\Temp\test.dat"

C:\Windows\regedit.exe

regedit /s "office16\officeu.dat"

C:\Windows\system32\mshta.exe

mshta VBScript:Execute("Set a=CreateObject(""WScript.Shell""):Set b=a.CreateShortcut(a.SpecialFolders(""Desktop"") & ""\Word 2016.lnk""):b.TargetPath=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\WINWORD.exe"":b.WorkingDirectory=""C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\"":b.Save:close")

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 8.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3968-4-0x0000000000400000-0x000000000048F000-memory.dmp

memory/3968-5-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unist.dat

MD5 48f78af51d6f4fee2d793112a57d9453
SHA1 21a400a14c49267be99173b3fcb4b5ea2e7cae9d
SHA256 e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33
SHA512 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123

C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll

MD5 694d2a073077aede544ab02f9b6d583e
SHA1 02d08fe89186ffdc9b8a6b70c481729243c22d06
SHA256 171ac7a1cb48bd459d4b59a141026f5ec84d0b3705a265e0bac6015d320cd1ae
SHA512 3313889db184961d0b452968fb413b57a3b6b6f0175889a4f19569e32e69f7c470378234ba980e62350cda67e392f9040b2b5da8cece8e6b628ab6db406bc906

C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll

MD5 8123371105dbb370ea3b90e5f5e7ad0c
SHA1 1ef4e8fc494237e50995592cb4e00becd0bbf982
SHA256 0a89f5f1fd9143d4822d349102d33b37cb9f8f42f17c1ea37ac047d70dcd9a95
SHA512 50196fb9da3a095436521393b8924859125d978bbf6e0e9af83b4e59a474398e97f09c08a3c5ca4310718677cde84e805a4acc7956b9c5eb8b14c39166579754

C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll

MD5 79a3facb00d5f2250388f2093105677c
SHA1 da9645d3e9aa9cebe4696b6977e591a8d5dbfffc
SHA256 4b380d82641d85b539a0b53a6ac0c187de6102e1cfcbb951448565381cfb12be
SHA512 53256ba080e37030eef29d16c964bfad4540378a672a8b2f164ce40add8fca409c554b4c14cfeaa083e59b2b66157a8e648315ad7f67c95562df59e5988b88f2

C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll

MD5 704ac2c8e2f085154553c20617c63d71
SHA1 d41d2ec9a81df135c98b1f1feb9a10976d2c719e
SHA256 fc69f45102cbd0897c15a9e80888232733800f73f1bb2cc49ba4e34dd896d446
SHA512 9276952b09fca7a2031e80f80263414e16eac8df88da037909315761399d52c260a9b8444a08bac04df6d841a0471a7c38ed5c2634c6c3007de607303572c2c1

C:\Windows\sysWOW64\FM20.DLL

MD5 81cb73ff04ae1643ecb1fe08de6eebd2
SHA1 6b8dfc4f276da404f830e1f41af2c8cc044d400f
SHA256 8380e73a0eacf24fac2ff9682fb9717675dbaf26a972e0de5e71b46bce941c85
SHA512 431a717d48e24d9f78be7f751d36d6590164c82c7e04cace84bb845c30dee5d4842b38043363c93d657f31dd0802f45170cc77a4166752ce05c573a8cd84256a

memory/4124-308-0x0000000000400000-0x000000000048F000-memory.dmp

memory/1028-309-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\test.dat

MD5 0e6ddffe4e0a7f54a68acc67c05bb959
SHA1 f0fab9434c836e60bc3d49ac34f883dd746c05e4
SHA256 8740f131d786441bf8b43c963d8139fa57d32ffeea3241051ffa721e9521ee6d
SHA512 7e716e8c35a8f999c98586651db730b627ab87cc997447ad6bf681b6e7ededce94eaec04f7336b0598c41a97829ef2e639c75dd84d3b854926fff91379e11180

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win7-20231129-en

Max time kernel

119s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\-)卸载.cmd"

Signatures

Grants admin privileges

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Stops running service(s)

evasion

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\system32\rundll32.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E705280-92D1-43CC-A57B-ED48BCCC711D}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0353-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1711-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{99755F80-FE96-4F7D-B636-B8E800E54F44}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template\shell\Edit\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F7FC18E-292B-11D2-A795-DFAA798E9148}\Control C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\Conversion C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-word.document.12 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\HTML Handler\Icon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats\GetSet\0 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03F1-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91807402-6C6F-47CD-B8FA-C42FEE8EE924}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020980-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E1-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493460-5A91-11CF-8700-00AA0060263B} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template\shell\OpenAsReadOnly\ddeexec\topic C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-word.template.12 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020970-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0322-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF076FDE-8781-4051-A5BC-99F6B7DC04D4}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.8\Shell\ViewProtected\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}\DataFormats C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\DataFormats C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\InprocHandler C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\AuxUserType\3 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000CDB05-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\shell\Show C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Template.12\shell\ViewProtected C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0411-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{34CEAC8D-CBC0-4f77-B7B1-8A60CB6DA0F7} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0388-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Print\ddeexec C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209DD-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209F6-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002094A-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209A2-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0369-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\shell\New\ddeexec\topic C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Edit C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\OpenAsReadOnly\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9149349D-5A91-11CF-8700-00AA0060263B} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{914934EE-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A52-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\protocol\StdFileEditing\Verb\0 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-powerpoint.slideshow.macroEnabled.12 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E996-E47C-11CD-8701-00AA003F0F07} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet.12\protocol\StdFileEditing\Verb C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020999-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C03BD-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.TemplateMacroEnabled.12\shell\Print C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\InprocHandler32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0320-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\DataFormats\GetSet\4 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B06E974-E47C-11CD-8701-00AA003F0F07} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4442A83-F623-459C-8E95-8BFB44DCF23A}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020833-0000-0000-C000-000000000046}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E9-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xlt C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\Verb\0 C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\PersistentHandler C:\Windows\regedit.exe N/A

Runs net.exe

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2848 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2848 wrote to memory of 840 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2848 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 2848 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 2848 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 2848 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 2848 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2848 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2848 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2848 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 1420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1420 wrote to memory of 2764 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2684 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2700 wrote to memory of 2696 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2848 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2848 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\-)卸载.cmd"

C:\Windows\regedit.exe

regedit /s ospp\unist.dat

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""

C:\Windows\regedit.exe

regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\Addins\OTKLOADR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\Addins\OTKLOADR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\ACCWIZ.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\ACCWIZ.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\CHART.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\CHART.DLL"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\IEAWSDC.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\IEAWSDC.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSOEURO.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSOEURO.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSOHEV.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSOHEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSOHEVI.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSOHEVI.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSRTEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSRTEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\REFEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\REFEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\NAME.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\NAME.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\OSF.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\OSF.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSADDNDR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSADDNDR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Windows\sysWOW64\FM20.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "C:\Windows\sysWOW64\FM20.DLL"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"

C:\Windows\system32\reg.exe

Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\re.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.0."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.1."

C:\Windows\system32\net.exe

net stop osppsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop osppsvc

C:\Windows\system32\sc.exe

sc delete osppsvc

C:\Windows\system32\net.exe

net localgroup administrators "Network Service" /del

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators "Network Service" /del

C:\Windows\system32\regsvr32.exe

regsvr32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.dll"

C:\Windows\system32\takeown.exe

takeown /f "C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat" /grant administrators:F /t

Network

N/A

Files

memory/1908-2-0x0000000000400000-0x000000000048F000-memory.dmp

memory/1908-3-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unist.dat

MD5 48f78af51d6f4fee2d793112a57d9453
SHA1 21a400a14c49267be99173b3fcb4b5ea2e7cae9d
SHA256 e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33
SHA512 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123

C:\Users\Admin\AppData\Local\Temp\re.inf

MD5 e4fc9b9ff7402bffbdd8730140b34c14
SHA1 7d0470929299adf0848c1d3638c9f21aa5b7eaa9
SHA256 86d663270650deebd9dc2acbdd9d996a3dd1eb952c1c1d921cdcbdc7d317f27a
SHA512 7a68e2cbe2c2bdc188eda84489427316b4017302639e685bfc03417aa4d14836789bf6848815df6782e8e40b9dace9af502f42095d356b45312fdbd7cfbd8e45

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win10v2004-20240226-en

Max time kernel

133s

Max time network

132s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\-)卸载.cmd"

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4039B326-9F27-4B4A-B460-47A0C6A39D5C}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A98B233-3C59-4B31-944C-0E560D85E6C3}\InProcServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9FBC2D8F-6F52-4CFA-A86F-096F3E9EB4B2}\InProcServer32 C:\Windows\regedit.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\system32\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll C:\Windows\system32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857} C:\Windows\regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\Conversion\Readable\Main C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031C-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1709-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1731-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Edit\ddeexec C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0322-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C3-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD100-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\Open C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\shell\OpenAsReadOnly\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C172B-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\Protocol\StdFileEditing\RequestDataFormats C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C037C-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.OpenDocumentSpreadsheet\CurVer C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.TemplateMacroEnabled\shell\Print\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.TemplateMacroEnabled\shell\Printto\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.12\shell\Edit C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\ShellEx C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.potx\ShellEx\PropertyHandler C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DataFormats\GetSet\1 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0308-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C4-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB0F-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.msg\PersistentHandler C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\PersistentHandler\ = "{AA10385A-F5AA-4EFF-B3DF-71B701E25E18}" C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.OpenDocumentText.12\shell\OnenotePrintto\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\VersionIndependentProgID C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\VersionIndependentProgID C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\ProgID C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\Implemented Categories C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031E-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C036D-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.12\shell\OpenAsReadOnly\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\Verb\0 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C4-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03D7-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.UriLink.16 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031D-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.12\shell\Open C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\DocObject C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\Protocol\StdFileEditing\Verb\1 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\shell\New C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\AuxUserType C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000209FF-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\Conversion\Readable C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.odt\ShellEx C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Print\ddeexec C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\DataFormats\GetSet\3 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031C-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\shell\New\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.12\shell\ViewProtected C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020906-0000-0000-C000-000000000046}\LocalServer32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\DataFormats C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\DefaultIcon C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03A0-0000-0000-C000-000000000046}\TypeLib C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\shell\Open\command C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Edit\ddeexec C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0913-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03A6-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1730-0000-0000-C000-000000000046} C:\Windows\regedit.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC020317-E6E2-4A62-B9FA-B3EFE16626F4}\DataFormats\DefaultFile C:\Windows\regedit.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 1760 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 1760 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 1760 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 1760 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe
PID 1760 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 1760 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 1760 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 1592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4760 wrote to memory of 4004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 4004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4760 wrote to memory of 4004 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 3900 wrote to memory of 316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3900 wrote to memory of 316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3900 wrote to memory of 316 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 4016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 4016 wrote to memory of 4088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4016 wrote to memory of 4088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4016 wrote to memory of 4088 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 3904 wrote to memory of 2708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3904 wrote to memory of 2708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3904 wrote to memory of 2708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 3252 wrote to memory of 3304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3252 wrote to memory of 3304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3252 wrote to memory of 3304 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 3428 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3428 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3428 wrote to memory of 2752 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2568 wrote to memory of 2992 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 3228 wrote to memory of 5024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3228 wrote to memory of 5024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3228 wrote to memory of 5024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 2608 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2608 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2608 wrote to memory of 1708 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1760 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1760 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\regsvr32.exe
PID 1684 wrote to memory of 2796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1684 wrote to memory of 2796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\-)卸载.cmd"

C:\Windows\regedit.exe

regedit /s ospp\unist.dat

C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\FR.exe

"C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\fr.exe" "C:\Users\Admin\AppData\Local\Temp\unist.dat" -fic:"\Wow6432Node" -t:""

C:\Windows\regedit.exe

regedit /s "C:\Users\Admin\AppData\Local\Temp\unist.dat"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\MSClientDataMgr\MSCDM.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\MSOXEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\msoshext.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\Addins\OTKLOADR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\Addins\OTKLOADR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\ACCWIZ.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\ACCWIZ.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\CHART.DLL"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\CHART.DLL"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\IEAWSDC.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\IEAWSDC.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSOEURO.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSOEURO.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSOHEV.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSOHEV.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSOHEVI.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSOHEVI.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSRTEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSRTEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\REFEDIT.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\REFEDIT.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\NAME.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\NAME.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\OSF.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\OSF.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "Office16\MSADDNDR.dll"

C:\Windows\SysWOW64\regsvr32.exe

/u /s "Office16\MSADDNDR.dll"

C:\Windows\system32\regsvr32.exe

REGSVR32 /u /s "C:\Windows\sysWOW64\FM20.DLL"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"

C:\Windows\system32\reg.exe

Reg Query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Desktop"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 C:\Users\Admin\AppData\Local\Temp\re.inf

C:\Windows\system32\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\System32\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.0."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ver "

C:\Windows\system32\find.exe

find "6.1."

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4944-2-0x0000000000400000-0x000000000048F000-memory.dmp

memory/4944-3-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\unist.dat

MD5 48f78af51d6f4fee2d793112a57d9453
SHA1 21a400a14c49267be99173b3fcb4b5ea2e7cae9d
SHA256 e9f701d01a19c5cfb25186ef532e32d0ea5b35f1e6409323da587f82516e0a33
SHA512 91ac3e695e45b11cb26014564ba450195942e97f68c24c6eac341b0043d4a91477eb8bbe3fd1c28d3e7cf68971460b69a2b868f9169a4d30d9769420c28e5123

C:\Users\Admin\AppData\Local\Temp\re.inf

MD5 e4fc9b9ff7402bffbdd8730140b34c14
SHA1 7d0470929299adf0848c1d3638c9f21aa5b7eaa9
SHA256 86d663270650deebd9dc2acbdd9d996a3dd1eb952c1c1d921cdcbdc7d317f27a
SHA512 7a68e2cbe2c2bdc188eda84489427316b4017302639e685bfc03417aa4d14836789bf6848815df6782e8e40b9dace9af502f42095d356b45312fdbd7cfbd8e45

memory/1016-10-0x000001785DA40000-0x000001785DA50000-memory.dmp

memory/1016-26-0x000001785DB40000-0x000001785DB50000-memory.dmp

memory/1016-42-0x0000017865FA0000-0x0000017865FA1000-memory.dmp

memory/1016-43-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-44-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-45-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-46-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-47-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-48-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-49-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-50-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-51-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-52-0x0000017865FD0000-0x0000017865FD1000-memory.dmp

memory/1016-53-0x0000017865D00000-0x0000017865D01000-memory.dmp

memory/1016-54-0x0000017865CF0000-0x0000017865CF1000-memory.dmp

memory/1016-56-0x0000017865D00000-0x0000017865D01000-memory.dmp

memory/1016-59-0x0000017865CF0000-0x0000017865CF1000-memory.dmp

memory/1016-62-0x000001785D3E0000-0x000001785D3E1000-memory.dmp

memory/1016-76-0x0000017865E30000-0x0000017865E31000-memory.dmp

memory/1016-74-0x0000017865E20000-0x0000017865E21000-memory.dmp

memory/1016-77-0x0000017865E30000-0x0000017865E31000-memory.dmp

memory/1016-78-0x0000017865F40000-0x0000017865F41000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win7-20240215-en

Max time kernel

119s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\OfficeKMS.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2572 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2572 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2572 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2628 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2628 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2628 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2908 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2908 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2908 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2548 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2548 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2548 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2208 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2456 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2456 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2456 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2208 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\OfficeKMS.bat"

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:cy2617.jios.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:k.zpale.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.03k.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.chinancce.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.digiboy.ir

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.lotro.cc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms-win.msdn123.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:m.zpale.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:mvg.zpale.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:www.beishe.cc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:xykz.f3322.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:www.zgbs.cc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.dwhd.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.imazes.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:122.226.152.230

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:115.159.2.184

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:119.28.13.193

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:3rss.vicp.net:20439

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:54.223.212.31

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:cy2617.6655.la

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.aliyun-inc.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.shuax.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:ss.yechiu.xin

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:18

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

173s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\OfficeKMS.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1548 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1548 wrote to memory of 1696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 4456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4592 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4592 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1504 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1504 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 4032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1476 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1476 wrote to memory of 3352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 4496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4496 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 4496 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 4804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1108 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1108 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 1392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1116 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1116 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 4212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 4212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 3228 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3228 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3228 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 5028 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 5028 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\ospp\OfficeKMS.bat"

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:cy2617.jios.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:k.zpale.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.03k.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.chinancce.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.digiboy.ir

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.lotro.cc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms-win.msdn123.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:m.zpale.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:mvg.zpale.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:www.beishe.cc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:xykz.f3322.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:www.zgbs.cc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.dwhd.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.imazes.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:122.226.152.230

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:115.159.2.184

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:119.28.13.193

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:3rss.vicp.net:20439

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:54.223.212.31

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:cy2617.6655.la

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.aliyun-inc.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:kms.shuax.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Windows\system32\cscript.exe

cscript //Nologo ospp.vbs /sethst:ss.yechiu.xin

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ( cscript //nologo ospp.vbs /act )"

C:\Windows\system32\find.exe

find /i "successful"

C:\Windows\system32\cscript.exe

cscript //nologo ospp.vbs /act

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2824 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 128.225.79.178.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win7-20240220-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\MML2OMML.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000bc45ac17d78a49603d2b010cb06f3b7396eb644575a4881b560ac5335746e8f4000000000e8000000002000020000000f3b06b1ad1fa95886356c5250b133efeaffba48c29970f16b9940d7b9ed3e62020000000db7a3ebfe78fc91e77301d30e68dc2130dd799c4a81cc06511d290a9ec6aa68340000000de10c7037771245622663b812e53386d6aef6c3c20ec2b750fbdcf2fe9afe8521495292ac745af66e1695544af570a2f33856c91355c4289ce5ac51436f95fdb C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc2330000000002000000000010660000000100002000000041f5ebed023dd37d0be2fab5a4b96550a97ef5ee181b4b06f0ab5dd75e777957000000000e80000000020000200000000bb6c3753833293216bb68059ebb10ce6d732dae690f08c08b873e074155a5d390000000ccd719bb10138056bbc4b39b264071610f996168f080ab176737686c6d5a7726822482955875b3fe5688fb1351f2561dcca327c01e20d5a43b47a4bf915a37f40e889f255c53a092a6284c0e555d72da08061e547efeff76225e5fa1e004076c946001c8696e0ebfc2e7dcb3029fdcf41140e766f55821c1735b6eb6bdd5049590d051c321ebab2c448eaca38cfb849e400000005de7581392e75c4b5d60d269d3ab3c810d4ade22d4a4a45abf72d7f54372ee5e275e272579f6c0cc9d31f64094e389804d61460d13cb6165221f317dada6d6c0 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417275176" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34F6C241-E84E-11EE-852B-6265250A2D3F} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9066ba095b7cda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2148 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2148 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2148 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2820 wrote to memory of 2148 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2148 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2148 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2148 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2148 wrote to memory of 2768 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2768 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\MML2OMML.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5820.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5970.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c450d585dc63bd7281b24bfd37f010a
SHA1 fcc15de10fc5d52b412257c8cc74735251661315
SHA256 d5b10512b856fcfbd905af36509aa7a43392388fa3c6feb888ed9e342488f655
SHA512 ccf3d637ec24be17945d20eb59ff9cf4e3f9452eb3b35d2016acded453c4b8dbd810259d73753a8864fb7f72dc4241f45d3f685270b484b13cbd060656aeafed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3c06793fe0f3ae176d70ee919a6552b
SHA1 2ec3f7952e883f9e8c9c33fcf33ddaf4692c6bfd
SHA256 7e3e1ae7828dd4f29f75252efc560037ef5657cad15835a92f4f000390b800b3
SHA512 677011569d69a91e58566d675c8bdc74939868bfdc9ff5dc4946c027819d73c684318e436136a3374ae274bad6660515cfd08ab175aad146b4be643b7288b3cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40fb6a57d22082af802631ead14d7b5a
SHA1 6fe588ec0225c1e2535e354f231cc68c43272584
SHA256 2706b1e8bee8f3d6623012405c850e6422cf102a2ff82f8fd5303000231a4130
SHA512 49caa88f1a88bbb0992d80615d610abd74299059e1e09a163122d651a11d73ce777f753ab4a890b8d2278494feb35cf89005703a872e3d0d9cb8959440f79045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae4e218bdabbf9947eba7fc3fa918baf
SHA1 a11b32321e15fc12e133836188239c93335da3eb
SHA256 e5bf74fd78c492abdd48bb2e5595e5614cd22d73a037ed2b5b822eb571641755
SHA512 99a6d4aa8865affa6d506984231ab4b1762a8edaf51e9a5eee0465825187b7a4f9cafa6fb7757cd05ad237268d185776b9c74abe935bfef1d94309370a641b9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b55a3e147b5a684c998c1b35a22a270
SHA1 7bdf656776d27b1b53088021a9f57d6643c84f45
SHA256 deb14618c93b6b3c19f1eaa985572984b31d5ef8c1c2319d7882c5145825bfbf
SHA512 ec776f06287dd7d94be8632025d0c9261c1228736d8677ef88cada0b09fc6b1d4350257b63b6806f8180bedb374c93b8c314dd195c6e70e41d23037a4922a61d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54b43755209c3914abf081cc6f561ae6
SHA1 9da84f71936d089756d9942b0e62bb2e40661f00
SHA256 e4d735409b233279e159dc7e3940421a6c9a9cc1a269228f552924343d12ab65
SHA512 2935a5f31d38757581638b145c9bd2a78b13709812f6e04992d838f0e61833ff6fd6b2fe43c644467ca4c80d9bf6fb02f73d7ff5e6e10c0e336bf1ee4718a1f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c0254d7af49b361cf8693ff40dbabd2
SHA1 7daa920f0d24e1b1f6deb4183b21e4d56a7e7ee7
SHA256 0bfde4c594698b28fbe364e67a411ef7e96f6ab94b7a16dffb566a3d34b46431
SHA512 e5215e9e419955d29744cf49d83b92e69cbb90fc1cd32ceb076bb8df11c1421f2f98014cf8b152673675e4947a888a41e10c748a925a514554cd268ad8bc4166

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e21885155c697aa3414e48c2b4f4b35
SHA1 ebe30c727f96b1c03f9ceaf3a6767ca91b2d7499
SHA256 9b76cc887a853e0230824d9149dc7ea0c59940b3f645361fe51ad6f0acb1f90e
SHA512 8e8290901a4d243fa6ea3a4374a115b350617309ce727caf8b7c39a3e7f4c0b764dd6b29770ff28198a27801de970ab5f32b4ae32c13c29226196b8572f92fd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95b40f5563cf93fd75948c05599b66e7
SHA1 a1d9ca12095cf0dc858e23ca7711d3f3b8228d4f
SHA256 ea2be1c87032d3a4f5185430dd7be069e803f1c7d12a60f7cfba8396e497d015
SHA512 79baa10ffd723e00a283c52bddc03295c81f8deeff4d843f2843310e970387d7be444cf49ed527cc83a309b49c4fc834c597fc0e126994e1e8eceb541a94e628

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c9f427c2584549ed560832ae6a5bbc7
SHA1 45eeb2d4d77093124e57fc95f54e6eb6418cb91c
SHA256 99ca5a369471add57797b1ca7be13f14044ed4aad226b001c97ccd917b7df653
SHA512 b3e1fd720f5d28289d8b7be001a052ff45c86f68081992c33c15717238c3e6b8119ac99e21fd015ec1114bd026b4574a1ee2507997fa50df00d35a32dda1c8be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1638e9471662a87af273fcf71951cb0b
SHA1 90c9e605459a57716baedc062e3ca9b2d0e81eda
SHA256 a2ed46833a864cc5b6b151d60723a9a03ba5ddfe210056dd81127b7c93c8b060
SHA512 0b4052b580e657abb66c3784c4d10dc4a106c1467dcef5f6e13ce79527f62e7d7c63fed51a306f71b49b065632fbb5687c9cbfd0e9678c94c35b9363cb4b02c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a32f00f0b27bb9769e5308d99bf30ff3
SHA1 c77327da6ad73fb687ae6e663065de72f62997d4
SHA256 1834ab708a4e933feacfdcedbf3ce796cc0dd7ec30fcdb4f0768e5c919f462c2
SHA512 dc95afad3f270817d8dc61bbb3c2f9d7a72fe0131c8b70e1e33b0c5c6a05e403041ac8c0f025f9d05fc8e9ceba4032ee2d6dc2c2b6e5f404123041a981ff884b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f79a1c10ef9c9ed9ed2d019874a5b774
SHA1 32296440d163bf6ff188883aa17b8767751818d2
SHA256 b1c869aab708c44ca63c2b61d26de151b7156ab986a5d20637dcc95f791c2062
SHA512 45b7a3650833c1f1557f5b83897ea8d102a5a1a52eb6823ffb33040f4dbbadd06834eb0e93cc9001de42dd2c84dfbd5588b9943f2970b430ec15a1a206d2549d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4fc795825c8cd810d21984be94b2f5b
SHA1 62e647cd6a9afa012a7de325dc008ce6bcd20896
SHA256 32bba2562b2b070335c512be46e210285385dbd38dc89672e4eee17109050196
SHA512 1bf934154c7b31f5dd9fed9126264115b6d99e98408010d0552a833d8a4b7f037f79ba134e49e5ff7c8b634ea961a136f86833c201569cc095f697078811c4d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 519c7bcf0732a5b2f37d203745b805ff
SHA1 f6bf349b635b8cba9fb4c168a39ca7ffcdfbd7eb
SHA256 b0663cb27ed570d87924efb471c7d1074837c68433422b6848b5811d109b61f7
SHA512 79b22bdaf0a92348b41b1f5c77524403cdfa7c976b58f7194e9ed2ea0ea4c1f4189e5705b99536c9a82bd5ed18b3c905fb5b4b884b6d0548fa561285cec3bd40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 409ca41ef6cbe0557901132ab223928a
SHA1 f348d759895d96809abfdae4c8ee043ba0ffda14
SHA256 b024dfef4b3c464aed2f7d59e3bad88675b6904fcd62df275831edebd8fa1a36
SHA512 2e267494289f49bb98fbcb757a57572a35a49e902600771b497b4f0edf5bee1cd5bfbee1958d638b3b8057ebf3a47be45da6eda3886dc045f91241650574beb2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7696abea84b28b626826b2bba8c6e6df
SHA1 f2a3a05d01070c214f02e561687c9d5ca359eeaf
SHA256 aa6d15d292be2ae19a9d4311bbb2ab19621f4d67dd24038d142d203766b92c41
SHA512 b252745df295e6a5559308c645fc219e54278c5d675c9e7eb02c39557c5c6fe21cc7cb162fd2f8e647cb26c8aca03850aad99fc1c5d143281c2e909fca874c61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8de0172b8f0f0ff257ac5a1e9c38770
SHA1 9b967f7fce8abe1258ce26e46cd0be644da337bf
SHA256 46608b77d20be56428d2ee668e750a5121c4306c9ff5a0e8f2bbc4f773cd7464
SHA512 2bea33df2042b851c2bd02d78be2331834e8e425e321214891947a31e8de4997e778eec1b542ca040c72897917df69539c5e788557b277831be8eb0a02be8307

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92ad2d5bfe7d83c862de8f796282e718
SHA1 0919808c8175f92a898c37bd235dde75a5e37c2e
SHA256 cd6b72448f3ff9a3e16524981ea62cec6976d83d37f074338db17aedb09f8e7d
SHA512 f807c8e224d2407598f523ffe994bece0b9e5fa0f26628479dd2642ed17d7eea76a03114f3bdf532bbd82647e452fd062e83d217ef546929adbeadb76f2a7ffe

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\MML2OMML.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\Office16\MML2OMML.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/2504-0-0x00007FFED07D0000-0x00007FFED07E0000-memory.dmp

memory/2504-1-0x00007FFF10750000-0x00007FFF10945000-memory.dmp

memory/2504-2-0x00007FFF10750000-0x00007FFF10945000-memory.dmp

memory/2504-3-0x00007FFF10750000-0x00007FFF10945000-memory.dmp

memory/2504-4-0x00007FFF0E1E0000-0x00007FFF0E4A9000-memory.dmp

memory/2504-5-0x00007FFED07D0000-0x00007FFED07E0000-memory.dmp

memory/2504-6-0x00007FFF10750000-0x00007FFF10945000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:18

Platform

win7-20240221-en

Max time kernel

121s

Max time network

139s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\更多好玩的了解一下.png"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\更多好玩的了解一下.png"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-22 13:10

Reported

2024-03-22 13:17

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

155s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\更多好玩的了解一下.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Office 2016 四合一精简版\更多好玩的了解一下.png"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 81.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

N/A