a6f2b8885c4afacbbbf2e26fa24642a53e9e53ea96a134abae1581df0473ef0d

Analysis

max time kernel
1558s
max time network
1558s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WindowsFormsApp4.exe
Size

13KB
MD5

b91f900258fa7c606d0f8ebebf576690
SHA1

c9a141b4c3bccfd4248e9071963e726a35c817e6
SHA256

a6f2b8885c4afacbbbf2e26fa24642a53e9e53ea96a134abae1581df0473ef0d
SHA512

82a667fff3a8b79daf4084aadd9ce28c711e1896a39f9d3b6543246ad79f1c34092b2d378d9f2945f0605588fe7451491b1f54094ad0c65a47bff1b0274cd304
SSDEEP

384:gEQd5Ek/gLt/DLjLR9zEs1LULxLPnkOhYVMfrnuHNptYcFwVc03K:Qd+LdXhJYlPkaYQnuH/tYcFwVc6K

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2716	2964	WerFault.exe	27

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1980	WINWORD.EXE
1868	vlc.exe
1460	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2276	chrome.exe
2276	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2524	taskmgr.exe
1868	vlc.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	taskmgr.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe
Token: SeShutdownPrivilege	2276	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
1868	vlc.exe
1868	vlc.exe
1868	vlc.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
2524	taskmgr.exe
1868	vlc.exe
1868	vlc.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe
2276	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1980	WINWORD.EXE
1868	vlc.exe
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE
1460	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2716	2964	WindowsFormsApp4.exe	29
PID 2964 wrote to memory of 2716	2964	WindowsFormsApp4.exe	29
PID 2964 wrote to memory of 2716	2964	WindowsFormsApp4.exe	29
PID 2964 wrote to memory of 2716	2964	WindowsFormsApp4.exe	29
PID 2276 wrote to memory of 2272	2276	chrome.exe	38
PID 2276 wrote to memory of 2272	2276	chrome.exe	38
PID 2276 wrote to memory of 2272	2276	chrome.exe	38
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2060	2276	chrome.exe	40
PID 2276 wrote to memory of 2008	2276	chrome.exe	41
PID 2276 wrote to memory of 2008	2276	chrome.exe	41
PID 2276 wrote to memory of 2008	2276	chrome.exe	41
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42
PID 2276 wrote to memory of 2924	2276	chrome.exe	42

C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsFormsApp4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 696
  2⤵
  - Program crash
  PID:2716

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2524

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\SyncExport.dot"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4f69758,0x7fef4f69768,0x7fef4f69778
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:2
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1636 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1548 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:2
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1348 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 --field-trial-handle=1252,i,1402561517165243386,16592431670505397897,131072 /prefetch:8
  2⤵
  PID:2540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2824

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1c32cbb0-35a2-40bf-91ac-0cbdb5bf661b.tmp

Filesize
129KB

MD5
38602e052f94e3f88f28c4e85dced8a7

SHA1
cd1b973c5a0b8727861b0703c44013644c25745e

SHA256
c4f5e802abb99afcf5ce1a4c8cb52b5c6578687a9b455f73e2a42e1c1b061591

SHA512
f2031ee4b8a4c957ec5bf737fe614887fcd78eb50eb1ea1ad51aefbb442572ec3efe9b77e6b9fc1304631c55b15fbc7018cee4e28db8665ce3c8f21acae2db65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
56B

MD5
444e05d78e0f57279f6e471e7ef18a4a

SHA1
80e472cc77dee6c40735013d3fdbb0588d18e8cd

SHA256
1bfdaeb2048385e9fada4c55e27d32797407da4a723fad6e9381d0a42d620512

SHA512
2b6f363800c311cf44d255d303379040b84cc244e00a6ebc3a9aca321d752a3f0e20163b4a9232486bb5f05c7bd5e9c04fdb88120cfd32e57a2d28966aca1e47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
e6b5d46c1b83b25721a910f214d1a798

SHA1
7d657a84dca5307af6f42457ba1685dc9c4f7672

SHA256
3048c8030a79c243596be1ff404080b77e742ab300de125c6dc7f5ba81f8f251

SHA512
f75335f69c80021c622f34cce5625c61eb5d56a88719918ab967a2d2cb18135dcaec89d3d13c027a0155f97d4763fd33136b5739a7e63ec20f519fedb69b91ae

Download Submit
memory/1460-206-0x000000007260D000-0x0000000072618000-memory.dmp

Filesize
44KB

Download
memory/1460-194-0x000000007260D000-0x0000000072618000-memory.dmp

Filesize
44KB

Download
memory/1460-182-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1868-191-0x000007FEF6840000-0x000007FEF6851000-memory.dmp

Filesize
68KB

Download
memory/1868-186-0x000007FEF73B0000-0x000007FEF73C8000-memory.dmp

Filesize
96KB

Download
memory/1868-216-0x000007FEF5000000-0x000007FEF60AB000-memory.dmp

Filesize
16.7MB

Download
memory/1868-192-0x000007FEF5000000-0x000007FEF60AB000-memory.dmp

Filesize
16.7MB

Download
memory/1868-231-0x000007FEF68E0000-0x000007FEF6914000-memory.dmp

Filesize
208KB

Download
memory/1868-189-0x000007FEF6880000-0x000007FEF6897000-memory.dmp

Filesize
92KB

Download
memory/1868-233-0x000007FEF5000000-0x000007FEF60AB000-memory.dmp

Filesize
16.7MB

Download
memory/1868-230-0x000000013F730000-0x000000013F828000-memory.dmp

Filesize
992KB

Download
memory/1868-190-0x000007FEF6860000-0x000007FEF687D000-memory.dmp

Filesize
116KB

Download
memory/1868-232-0x000007FEF61E0000-0x000007FEF6494000-memory.dmp

Filesize
2.7MB

Download
memory/1868-188-0x000007FEF68A0000-0x000007FEF68B1000-memory.dmp

Filesize
68KB

Download
memory/1868-193-0x000007FEF4F90000-0x000007FEF4FF7000-memory.dmp

Filesize
412KB

Download
memory/1868-183-0x000000013F730000-0x000000013F828000-memory.dmp

Filesize
992KB

Download
memory/1868-184-0x000007FEF68E0000-0x000007FEF6914000-memory.dmp

Filesize
208KB

Download
memory/1868-185-0x000007FEF61E0000-0x000007FEF6494000-memory.dmp

Filesize
2.7MB

Download
memory/1868-187-0x000007FEF68C0000-0x000007FEF68D7000-memory.dmp

Filesize
92KB

Download
memory/1980-11-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-44-0x000000007138D000-0x0000000071398000-memory.dmp

Filesize
44KB

Download
memory/1980-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1980-10-0x000000002FBD1000-0x000000002FBD2000-memory.dmp

Filesize
4KB

Download
memory/1980-12-0x000000007138D000-0x0000000071398000-memory.dmp

Filesize
44KB

Download
memory/2524-4-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2524-5-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2964-7-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/2964-2-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/2964-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-3-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download
memory/2964-0-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/2964-6-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-8-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-9-0x00000000044A0000-0x00000000044E0000-memory.dmp

Filesize
256KB

Download