Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 10:03
Behavioral task
behavioral1
Sample
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
Resource
win10v2004-20240226-en
General
-
Target
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
-
Size
32KB
-
MD5
bdf188b3d0939ec837987b4936b19570
-
SHA1
aba938bf8dc5445df3d5b77a42db4d6643db4383
-
SHA256
28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53
-
SHA512
63b39390bd9702fa01e8d2ac63d63d37545547c0abf2c6403cd11e329d546716f313cb8e1f2a167ffd1ebd2cf56a205423359270563a19deaf9b167a3691c5ac
-
SSDEEP
768:DiehqsoMCWBJ9B23vxllNuLWlX9Ymzj+3BaVk7oXaFa4:Di9soc5B0vB9t9YWSBaUoXaQ4
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2916 WINWORD.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\FLAGS\ = "6" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}\ = "IDataAutoWrapper" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}\ = "MdcOptionButtonEvents" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents10" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29} WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}\ = "ILabelControl" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\FLAGS WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}\ = "Tab" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}\ = "ControlEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents3" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}\ = "IReturnString" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\VBE\\MSForms.exd" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}\ = "IScrollbar" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents7" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF} WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3} WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{542D086C-E6DA-4CA6-8EEA-76A60E0398D9}\2.0\ = "Microsoft Forms 2.0 Object Library" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000_CLASSES\Wow6432Node\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074} WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE -
NTFS ADS 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\~WRD0000.tmp\:Zone.Identifier:$DATA WINWORD.EXE File created C:\Users\Admin\AppData\Local\Temp\~WRD0002.tmp\:Zone.Identifier:$DATA WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2916 WINWORD.EXE -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2916 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2916 WINWORD.EXE 2916 WINWORD.EXE 2784 WINWORD.EXE 2784 WINWORD.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2916 wrote to memory of 2444 2916 WINWORD.EXE 27 PID 2916 wrote to memory of 2444 2916 WINWORD.EXE 27 PID 2916 wrote to memory of 2444 2916 WINWORD.EXE 27 PID 2916 wrote to memory of 2444 2916 WINWORD.EXE 27
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm"1⤵
- Deletes itself
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\28de2ccff30a4f198670b66b6f9a0ce5f5f9b7f889c2f5e6a4e365dea1c89d53.dotm
Filesize45KB
MD50bd3d6e8d36b42cd0d772b5b1cc6dd15
SHA10be5826ccdf3ff4ff92dea7586332ea6f50228e6
SHA25618c1d4f2781f98a0ae9131dedee10accff8061732056a319e89a629d19517be1
SHA512931bbcfe66f89a49261c9590cf641739e809d5c430fc1daa5fd29b99c0daba154e0ea47d9d28c2282cd9f42492dde77339f4461bd79edb8dc03b8b024133724c
-
Filesize
36KB
MD50daab2b91315a8859daee807fb1d0a8d
SHA1116cb5aac03402a3babbb443cb173c99b6f04525
SHA256c992eec5f5c6905b3d269347333af7b0940e0b1e0fc0d414b82e3e7317b070c6
SHA5120fc9b891940533f2c9f49294e13a47fe5785ed1a889aa0f3afddf8471216304a8d2d6699d536a867cc2861e274aca2a4450e3f94138901bd344efb9f7bdea332
-
Filesize
55B
MD5b04fd3884038b13390e7a065db5af8e8
SHA177766abc66b4466c2bbbf7c95ffce8e88888cb2a
SHA256dbfc917519388f434307e61f1e03c6d76817d90ff746217f0f9c06858c3c3650
SHA512a1739f2774f4bb11335eaec921a76736a0f5ec3a98c04fbf0777e902c07c640bc90f4806710d12e34f9f51d855044f007a1519f779eaf1754e533134b2a0e8e4
-
Filesize
20KB
MD52613e069bd1a26cd5d0c51b8bda2d65a
SHA1e2bc0cd8d6aac818d5f7f2c1b64dd261104b4acf
SHA256c4f0afb2912b889570837d8f030b2887f31426dd7f1034d4329d91ccbf591a7a
SHA512059bd0a45c1b76c1781dfbd7c458aadd8d7ee37639885137f499e3d777852d4c6b4814012acd614853220356b9ef30a52b7c1e5ae58d754d3d1289e4e7f102d2
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84