Highly malicious document behavior detectedįound malicious artifacts related to "205.185.208.52". "GET /system/content_images/uploads/139/2b8/a9-/original/warning_black.png HTTP/1.1 "GET /system/content_images/uploads/4c9/018/33-/original/address-bar.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible MSIE 7.0 Windows NT 6.1 Trident/4.0 SLCC2. "GET /system/content_files/uploads/877/4ab/1c-/original/education-fonts.css HTTP/1.1 Removes Office resiliency keys (often used to avoid problems opening documents)Īdversaries may attempt to get a listing of open application windows. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network.Ĭontains embedded VBA macros (normalized)Īdversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in ] and ].
Installs hooks/patches the running process Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual.Īdversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager.