8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 16:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
Size

256KB
MD5

044d5ca7daafeca66ac936cf582f1ab0
SHA1

cc219e015dad31d9bc1f4b9cc9f5f778233feb27
SHA256

8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56
SHA512

1cd579c8521845c83c35645f49e971cdf6b7577367a700dd6a0f8983f8b18e63aee8a001c7837759bc1695a395a0777ef8ce811cc89a1a824c85203114c85e79
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIA

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	gpviksfkbu.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gpviksfkbu.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gpviksfkbu.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gpviksfkbu.exe

Executes dropped EXE 5 IoCs

pid	Process
1132	gpviksfkbu.exe
1056	ztebcfmqvfzhoyq.exe
272	enwwlikt.exe
1724	glgyzvjlityte.exe
696	enwwlikt.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1112-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/files/0x0007000000005c50-58.dat	upx
behavioral1/files/0x0007000000005c50-60.dat	upx
behavioral1/files/0x000b0000000122d2-61.dat	upx
behavioral1/files/0x000b0000000122d2-63.dat	upx
behavioral1/files/0x000a0000000122d6-66.dat	upx
behavioral1/files/0x00090000000122e8-70.dat	upx
behavioral1/files/0x000b0000000122d2-65.dat	upx
behavioral1/files/0x000a0000000122d6-68.dat	upx
behavioral1/files/0x00090000000122e8-72.dat	upx
behavioral1/files/0x000a0000000122d6-74.dat	upx
behavioral1/files/0x00090000000122e8-75.dat	upx
behavioral1/memory/1132-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1056-79-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/272-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1724-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000a0000000122d6-84.dat	upx
behavioral1/files/0x000a0000000122d6-86.dat	upx
behavioral1/memory/696-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1112-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1132-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1056-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/272-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1724-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/696-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0007000000013382-104.dat	upx
behavioral1/files/0x00070000000133a7-105.dat	upx
behavioral1/files/0x00070000000133ab-107.dat	upx
behavioral1/files/0x00070000000133ab-108.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1132	gpviksfkbu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	gpviksfkbu.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "glgyzvjlityte.exe"	ztebcfmqvfzhoyq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ztebcfmqvfzhoyq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pdhcmpca = "gpviksfkbu.exe"	ztebcfmqvfzhoyq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eegdncgt = "ztebcfmqvfzhoyq.exe"	ztebcfmqvfzhoyq.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	enwwlikt.exe
File opened (read-only)	\??\o:	enwwlikt.exe
File opened (read-only)	\??\a:	gpviksfkbu.exe
File opened (read-only)	\??\u:	enwwlikt.exe
File opened (read-only)	\??\z:	enwwlikt.exe
File opened (read-only)	\??\g:	enwwlikt.exe
File opened (read-only)	\??\k:	enwwlikt.exe
File opened (read-only)	\??\x:	enwwlikt.exe
File opened (read-only)	\??\h:	enwwlikt.exe
File opened (read-only)	\??\p:	enwwlikt.exe
File opened (read-only)	\??\k:	gpviksfkbu.exe
File opened (read-only)	\??\l:	enwwlikt.exe
File opened (read-only)	\??\e:	enwwlikt.exe
File opened (read-only)	\??\b:	gpviksfkbu.exe
File opened (read-only)	\??\n:	gpviksfkbu.exe
File opened (read-only)	\??\v:	gpviksfkbu.exe
File opened (read-only)	\??\r:	enwwlikt.exe
File opened (read-only)	\??\v:	enwwlikt.exe
File opened (read-only)	\??\f:	enwwlikt.exe
File opened (read-only)	\??\j:	enwwlikt.exe
File opened (read-only)	\??\q:	enwwlikt.exe
File opened (read-only)	\??\v:	enwwlikt.exe
File opened (read-only)	\??\t:	gpviksfkbu.exe
File opened (read-only)	\??\m:	enwwlikt.exe
File opened (read-only)	\??\n:	enwwlikt.exe
File opened (read-only)	\??\s:	enwwlikt.exe
File opened (read-only)	\??\i:	enwwlikt.exe
File opened (read-only)	\??\n:	enwwlikt.exe
File opened (read-only)	\??\s:	enwwlikt.exe
File opened (read-only)	\??\x:	enwwlikt.exe
File opened (read-only)	\??\f:	gpviksfkbu.exe
File opened (read-only)	\??\g:	gpviksfkbu.exe
File opened (read-only)	\??\r:	gpviksfkbu.exe
File opened (read-only)	\??\u:	gpviksfkbu.exe
File opened (read-only)	\??\w:	gpviksfkbu.exe
File opened (read-only)	\??\b:	enwwlikt.exe
File opened (read-only)	\??\q:	enwwlikt.exe
File opened (read-only)	\??\l:	gpviksfkbu.exe
File opened (read-only)	\??\x:	gpviksfkbu.exe
File opened (read-only)	\??\i:	enwwlikt.exe
File opened (read-only)	\??\z:	enwwlikt.exe
File opened (read-only)	\??\p:	gpviksfkbu.exe
File opened (read-only)	\??\e:	gpviksfkbu.exe
File opened (read-only)	\??\z:	gpviksfkbu.exe
File opened (read-only)	\??\b:	enwwlikt.exe
File opened (read-only)	\??\j:	gpviksfkbu.exe
File opened (read-only)	\??\j:	enwwlikt.exe
File opened (read-only)	\??\p:	enwwlikt.exe
File opened (read-only)	\??\t:	enwwlikt.exe
File opened (read-only)	\??\l:	enwwlikt.exe
File opened (read-only)	\??\w:	enwwlikt.exe
File opened (read-only)	\??\y:	enwwlikt.exe
File opened (read-only)	\??\i:	gpviksfkbu.exe
File opened (read-only)	\??\a:	enwwlikt.exe
File opened (read-only)	\??\k:	enwwlikt.exe
File opened (read-only)	\??\y:	enwwlikt.exe
File opened (read-only)	\??\y:	gpviksfkbu.exe
File opened (read-only)	\??\o:	enwwlikt.exe
File opened (read-only)	\??\m:	enwwlikt.exe
File opened (read-only)	\??\r:	enwwlikt.exe
File opened (read-only)	\??\t:	enwwlikt.exe
File opened (read-only)	\??\u:	enwwlikt.exe
File opened (read-only)	\??\h:	gpviksfkbu.exe
File opened (read-only)	\??\s:	gpviksfkbu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	gpviksfkbu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	gpviksfkbu.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1132-77-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1056-79-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/272-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1724-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/696-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1112-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1132-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1056-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/272-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1724-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/696-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\glgyzvjlityte.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File opened for modification	C:\Windows\SysWOW64\glgyzvjlityte.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	gpviksfkbu.exe
File created	C:\Windows\SysWOW64\gpviksfkbu.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File opened for modification	C:\Windows\SysWOW64\gpviksfkbu.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File created	C:\Windows\SysWOW64\enwwlikt.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File opened for modification	C:\Windows\SysWOW64\enwwlikt.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File created	C:\Windows\SysWOW64\ztebcfmqvfzhoyq.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File opened for modification	C:\Windows\SysWOW64\ztebcfmqvfzhoyq.exe	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	enwwlikt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	enwwlikt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	enwwlikt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	enwwlikt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	enwwlikt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	enwwlikt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	enwwlikt.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	gpviksfkbu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67415E5DABFB8CA7CE7EDE037CD"	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	gpviksfkbu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	gpviksfkbu.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BB1FE6C21DBD27DD1D58A7A916B"	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	gpviksfkbu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	gpviksfkbu.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF8B482782189032D6217DE6BDE1E1405843664E6243D791"	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
636	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
272	enwwlikt.exe
272	enwwlikt.exe
272	enwwlikt.exe
272	enwwlikt.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
696	enwwlikt.exe
696	enwwlikt.exe
696	enwwlikt.exe
696	enwwlikt.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1056	ztebcfmqvfzhoyq.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
272	enwwlikt.exe
272	enwwlikt.exe
272	enwwlikt.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
696	enwwlikt.exe
696	enwwlikt.exe
696	enwwlikt.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1132	gpviksfkbu.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
1056	ztebcfmqvfzhoyq.exe
272	enwwlikt.exe
272	enwwlikt.exe
272	enwwlikt.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
1724	glgyzvjlityte.exe
696	enwwlikt.exe
696	enwwlikt.exe
696	enwwlikt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
636	WINWORD.EXE
636	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1132	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	26
PID 1112 wrote to memory of 1132	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	26
PID 1112 wrote to memory of 1132	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	26
PID 1112 wrote to memory of 1132	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	26
PID 1112 wrote to memory of 1056	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	27
PID 1112 wrote to memory of 1056	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	27
PID 1112 wrote to memory of 1056	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	27
PID 1112 wrote to memory of 1056	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	27
PID 1112 wrote to memory of 272	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	28
PID 1112 wrote to memory of 272	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	28
PID 1112 wrote to memory of 272	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	28
PID 1112 wrote to memory of 272	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	28
PID 1112 wrote to memory of 1724	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	29
PID 1112 wrote to memory of 1724	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	29
PID 1112 wrote to memory of 1724	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	29
PID 1112 wrote to memory of 1724	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	29
PID 1132 wrote to memory of 696	1132	gpviksfkbu.exe	30
PID 1132 wrote to memory of 696	1132	gpviksfkbu.exe	30
PID 1132 wrote to memory of 696	1132	gpviksfkbu.exe	30
PID 1132 wrote to memory of 696	1132	gpviksfkbu.exe	30
PID 1112 wrote to memory of 636	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	31
PID 1112 wrote to memory of 636	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	31
PID 1112 wrote to memory of 636	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	31
PID 1112 wrote to memory of 636	1112	8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe	31
PID 636 wrote to memory of 304	636	WINWORD.EXE	35
PID 636 wrote to memory of 304	636	WINWORD.EXE	35
PID 636 wrote to memory of 304	636	WINWORD.EXE	35
PID 636 wrote to memory of 304	636	WINWORD.EXE	35

C:\Users\Admin\AppData\Local\Temp\8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe
"C:\Users\Admin\AppData\Local\Temp\8c8f0dac5b4b18f8004c348b3e76199be88367c31e28cffcf13e41885f88bf56.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\SysWOW64\gpviksfkbu.exe
  gpviksfkbu.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\enwwlikt.exe
    C:\Windows\system32\enwwlikt.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:696
- C:\Windows\SysWOW64\ztebcfmqvfzhoyq.exe
  ztebcfmqvfzhoyq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1056
- C:\Windows\SysWOW64\enwwlikt.exe
  enwwlikt.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:272
- C:\Windows\SysWOW64\glgyzvjlityte.exe
  glgyzvjlityte.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1724
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
256KB

MD5
a08fe3b7821487424311ad9f7c2a8d67

SHA1
9aaf6ae39dca8265289f541b0c4cf3f8010d0bb9

SHA256
4e199b518edb73ecf1024c54c17da1f1d98ccb499d26d850df571e746e294b11

SHA512
d7caff3103e4d1f5418d77ae6685174dff0a125b2e0ef144c42d04b51b6aa94cc9ea87c77bd0da0d37ca7043ddb5e8a9ea99ad65981e2c4f30be27738109ab45

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
256KB

MD5
24cd837377f85e17aa29e0fdd23c7022

SHA1
61046091ba7c892124b5d3cb31de9130d967bd99

SHA256
bb7ae7602d0d8fbd7ea29cbfefd6e7468816158afe40a1bd90a5e1f79e6919d9

SHA512
2af654cbf0c209a0b1719b545277162808c72c213ebe27c7a25d67f486dace39477ce95aae966bc4b7852cd89f9ed302a6d6f474074f653b8d6df1dfef75c31e

Download Submit
C:\Users\Admin\AppData\Roaming\StartAdd.doc.exe

Filesize
256KB

MD5
d16bf80deb6ad6a95c3860acdfc81481

SHA1
4bd31644c766586da850f5a98015f0288388e41a

SHA256
743cf3cdcca1041d88791b00138b5cb98e07c6bf1e81b72552b5a45702043be2

SHA512
42928ff3c3b308011fe6547f7af9c85d72b2241274d7eceadf315b9ea4e7e1cbe70d711ca151a353e5e4014632f1a2672edc93a115310cc0ad0649610d5ef424

Download Submit
C:\Windows\SysWOW64\enwwlikt.exe

Filesize
256KB

MD5
efcebb92529be49dd1b44fc0179e72aa

SHA1
ca2f0d09c3dfac6351ce385b3cba738f13bb8206

SHA256
21c0544652da59253222a55ac93d5c955e844590ca91dfca00c624dfc08c50cd

SHA512
861c78c74a0a00ee6e707c8beadb8c154b8b9082c6edd04f9917ff0757b7295b01ffdc3d5379d11edd96aedada81fc0cc2f5ec030acceaaf724125867d52336e

Download Submit
C:\Windows\SysWOW64\enwwlikt.exe

Filesize
256KB

MD5
efcebb92529be49dd1b44fc0179e72aa

SHA1
ca2f0d09c3dfac6351ce385b3cba738f13bb8206

SHA256
21c0544652da59253222a55ac93d5c955e844590ca91dfca00c624dfc08c50cd

SHA512
861c78c74a0a00ee6e707c8beadb8c154b8b9082c6edd04f9917ff0757b7295b01ffdc3d5379d11edd96aedada81fc0cc2f5ec030acceaaf724125867d52336e

Download Submit
C:\Windows\SysWOW64\enwwlikt.exe

Filesize
256KB

MD5
efcebb92529be49dd1b44fc0179e72aa

SHA1
ca2f0d09c3dfac6351ce385b3cba738f13bb8206

SHA256
21c0544652da59253222a55ac93d5c955e844590ca91dfca00c624dfc08c50cd

SHA512
861c78c74a0a00ee6e707c8beadb8c154b8b9082c6edd04f9917ff0757b7295b01ffdc3d5379d11edd96aedada81fc0cc2f5ec030acceaaf724125867d52336e

Download Submit
C:\Windows\SysWOW64\glgyzvjlityte.exe

Filesize
256KB

MD5
ccb48b2899d226cae752f7e30def3e9f

SHA1
a5f46c5bb5f6d6aa6ba256c0f22ecec4e27c8739

SHA256
59cbe129492299a2017f9568750f42314765169a5b743c9b9ea0db149be71131

SHA512
a9238d507364a7e1de0daf5297521ed3af8fd608b9a5167e093195ec32323b1b239337e8df1c19709292ddfcab9364403f97dd5529adf1d7ac232626cef59b87

Download Submit
C:\Windows\SysWOW64\glgyzvjlityte.exe

Filesize
256KB

MD5
ccb48b2899d226cae752f7e30def3e9f

SHA1
a5f46c5bb5f6d6aa6ba256c0f22ecec4e27c8739

SHA256
59cbe129492299a2017f9568750f42314765169a5b743c9b9ea0db149be71131

SHA512
a9238d507364a7e1de0daf5297521ed3af8fd608b9a5167e093195ec32323b1b239337e8df1c19709292ddfcab9364403f97dd5529adf1d7ac232626cef59b87

Download Submit
C:\Windows\SysWOW64\gpviksfkbu.exe

Filesize
256KB

MD5
46a27b082874f251063aece18c7aaf8f

SHA1
90d468d89f1bcff48ba2dd41ebedfac0640f6ab8

SHA256
2b09d8a19f54190eb442b7d6a24a1d580c865670d9ceed7f5cc33cfc947874b6

SHA512
566e1a059fe802df5b5e049d57d8fd20a3e763e058b3d299f85006a0e7c152e3181663a127dfb4c631998dad54e560e8f81dcafd06def7806ba983bfaf071937

Download Submit
C:\Windows\SysWOW64\gpviksfkbu.exe

Filesize
256KB

MD5
46a27b082874f251063aece18c7aaf8f

SHA1
90d468d89f1bcff48ba2dd41ebedfac0640f6ab8

SHA256
2b09d8a19f54190eb442b7d6a24a1d580c865670d9ceed7f5cc33cfc947874b6

SHA512
566e1a059fe802df5b5e049d57d8fd20a3e763e058b3d299f85006a0e7c152e3181663a127dfb4c631998dad54e560e8f81dcafd06def7806ba983bfaf071937

Download Submit
C:\Windows\SysWOW64\ztebcfmqvfzhoyq.exe

Filesize
256KB

MD5
234798ec0eac59de76dd510e70ccf2d1

SHA1
b668ff300bcbe87af322540235ede00c39ff012a

SHA256
c648c6381c601d3a17304b98df4c7b372c00e1404b0790c350979529383076d5

SHA512
0e1fc01712c4d10bbe52ba41ce4901b28f0779b67e6e2c076b0e13efd4fdae598c1803f74ea34fa5f249ea3f4141ea003b1ce5893d5bff9896723c61af2c5cab

Download Submit
C:\Windows\SysWOW64\ztebcfmqvfzhoyq.exe

Filesize
256KB

MD5
234798ec0eac59de76dd510e70ccf2d1

SHA1
b668ff300bcbe87af322540235ede00c39ff012a

SHA256
c648c6381c601d3a17304b98df4c7b372c00e1404b0790c350979529383076d5

SHA512
0e1fc01712c4d10bbe52ba41ce4901b28f0779b67e6e2c076b0e13efd4fdae598c1803f74ea34fa5f249ea3f4141ea003b1ce5893d5bff9896723c61af2c5cab

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Users\Admin\AppData\Roaming\StartAdd.doc.exe

Filesize
256KB

MD5
d16bf80deb6ad6a95c3860acdfc81481

SHA1
4bd31644c766586da850f5a98015f0288388e41a

SHA256
743cf3cdcca1041d88791b00138b5cb98e07c6bf1e81b72552b5a45702043be2

SHA512
42928ff3c3b308011fe6547f7af9c85d72b2241274d7eceadf315b9ea4e7e1cbe70d711ca151a353e5e4014632f1a2672edc93a115310cc0ad0649610d5ef424

Download Submit
\Windows\SysWOW64\enwwlikt.exe

Filesize
256KB

MD5
efcebb92529be49dd1b44fc0179e72aa

SHA1
ca2f0d09c3dfac6351ce385b3cba738f13bb8206

SHA256
21c0544652da59253222a55ac93d5c955e844590ca91dfca00c624dfc08c50cd

SHA512
861c78c74a0a00ee6e707c8beadb8c154b8b9082c6edd04f9917ff0757b7295b01ffdc3d5379d11edd96aedada81fc0cc2f5ec030acceaaf724125867d52336e

Download Submit
\Windows\SysWOW64\enwwlikt.exe

Filesize
256KB

MD5
efcebb92529be49dd1b44fc0179e72aa

SHA1
ca2f0d09c3dfac6351ce385b3cba738f13bb8206

SHA256
21c0544652da59253222a55ac93d5c955e844590ca91dfca00c624dfc08c50cd

SHA512
861c78c74a0a00ee6e707c8beadb8c154b8b9082c6edd04f9917ff0757b7295b01ffdc3d5379d11edd96aedada81fc0cc2f5ec030acceaaf724125867d52336e

Download Submit
\Windows\SysWOW64\glgyzvjlityte.exe

Filesize
256KB

MD5
ccb48b2899d226cae752f7e30def3e9f

SHA1
a5f46c5bb5f6d6aa6ba256c0f22ecec4e27c8739

SHA256
59cbe129492299a2017f9568750f42314765169a5b743c9b9ea0db149be71131

SHA512
a9238d507364a7e1de0daf5297521ed3af8fd608b9a5167e093195ec32323b1b239337e8df1c19709292ddfcab9364403f97dd5529adf1d7ac232626cef59b87

Download Submit
\Windows\SysWOW64\gpviksfkbu.exe

Filesize
256KB

MD5
46a27b082874f251063aece18c7aaf8f

SHA1
90d468d89f1bcff48ba2dd41ebedfac0640f6ab8

SHA256
2b09d8a19f54190eb442b7d6a24a1d580c865670d9ceed7f5cc33cfc947874b6

SHA512
566e1a059fe802df5b5e049d57d8fd20a3e763e058b3d299f85006a0e7c152e3181663a127dfb4c631998dad54e560e8f81dcafd06def7806ba983bfaf071937

Download Submit
\Windows\SysWOW64\ztebcfmqvfzhoyq.exe

Filesize
256KB

MD5
234798ec0eac59de76dd510e70ccf2d1

SHA1
b668ff300bcbe87af322540235ede00c39ff012a

SHA256
c648c6381c601d3a17304b98df4c7b372c00e1404b0790c350979529383076d5

SHA512
0e1fc01712c4d10bbe52ba41ce4901b28f0779b67e6e2c076b0e13efd4fdae598c1803f74ea34fa5f249ea3f4141ea003b1ce5893d5bff9896723c61af2c5cab

Download Submit
memory/272-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/272-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/304-106-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

Filesize
8KB

Download
memory/636-91-0x00000000727B1000-0x00000000727B4000-memory.dmp

Filesize
12KB

Download
memory/636-102-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/636-93-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/636-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/636-110-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/636-92-0x0000000070231000-0x0000000070233000-memory.dmp

Filesize
8KB

Download
memory/636-98-0x000000007121D000-0x0000000071228000-memory.dmp

Filesize
44KB

Download
memory/696-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/696-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1056-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1056-79-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1112-80-0x0000000003330000-0x00000000033D0000-memory.dmp

Filesize
640KB

Download
memory/1112-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1112-82-0x0000000003330000-0x00000000033D0000-memory.dmp

Filesize
640KB

Download
memory/1112-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1112-78-0x0000000003330000-0x00000000033D0000-memory.dmp

Filesize
640KB

Download
memory/1112-76-0x0000000003330000-0x00000000033D0000-memory.dmp

Filesize
640KB

Download
memory/1112-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1132-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1132-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1724-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1724-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download