Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
wpswireless-invoice-08.11.22.doc
|
Zip archive data, at least v2.0 to extract
|
initial sample
|
||
C:\Users\user\AppData\Local\Temp\y6A2E.tmp.dll
|
HTML document, ASCII text
|
modified
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\rm[1].htm
|
HTML document, ASCII text
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
|
ASCII text, with CRLF line terminators
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\wpswireless-invoice-08.11.22.LNK
|
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:53
2022, mtime=Tue Mar 8 15:45:53 2022, atime=Thu Aug 11 23:42:11 2022, length=2256213, window=hide
|
dropped
|
||
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
|
data
|
dropped
|
||
C:\Users\user\Desktop\~$swireless-invoice-08.11.22.doc
|
data
|
dropped
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
|
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://45.8.146.139/fhfty/_C45V3_-S5YKINT86D3PPVX0ILQLA-SG/rm
|
45.8.146.139
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
45.8.146.139
|
unknown
|
Russian Federation
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
c$/
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
|
MTTT
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
:&/
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
|
|(/
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover
|
Name
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover
|
Path
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\Recover
|
Extensions
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos
|
Name
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos
|
Path
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WrdPrfctDos
|
Extensions
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x
|
Name
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x
|
Path
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Word\Text Converters\Import\WordPerfect6x
|
Extensions
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
VBAFiles
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
|
ReviewToken
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\65BE6
|
65BE6
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
|
1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
WORDFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000100000000F01FEC\Usage
|
ProductFiles
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP5FilesIntl_1033
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400100000000F01FEC\Usage
|
TCWP6FilesIntl_1033
|
||
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
|
SavedLegacySettings
|
There are 20 hidden registries, click here to show them.
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
366000
|
heap
|
page read and write
|
||
35D000
|
heap
|
page read and write
|
||
420000
|
heap
|
page read and write
|
||
290000
|
heap
|
page read and write
|
||
7EFE0000
|
unkown
|
page readonly
|
||
327000
|
heap
|
page read and write
|
||
25D000
|
stack
|
page read and write
|
||
320000
|
heap
|
page read and write
|
||
1B0000
|
heap
|
page read and write
|
||
1B4000
|
heap
|
page read and write
|
||
B3E000
|
stack
|
page read and write
|
||
BDF000
|
stack
|
page read and write
|
||
19F000
|
stack
|
page read and write
|
||
10000
|
heap
|
page read and write
|
||
37F000
|
heap
|
page read and write
|
||
456000
|
heap
|
page read and write
|
||
5FA000
|
stack
|
page read and write
|
There are 7 hidden memdumps, click here to show them.