Analysis
-
max time kernel
151s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 16:07
Static task
static1
Behavioral task
behavioral1
Sample
8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe
Resource
win10v2004-20220812-en
General
-
Target
8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe
-
Size
512KB
-
MD5
0e63f45c2d3ab50c8a0048077bcc7260
-
SHA1
410c56790d05f4743f7fb98c86b5d36601d4f41c
-
SHA256
8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739
-
SHA512
689f6501d5cd44d6ec9f313417cc8ed9a05c5d0cc60a1b46c7f9ff642d5325b35e1c7b0e8c95d1826bd8bc6722bd49767f18cc78bdd24509d386885673039596
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" rvfadgwnkr.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rvfadgwnkr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rvfadgwnkr.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" rvfadgwnkr.exe -
Executes dropped EXE 6 IoCs
pid Process 268 rvfadgwnkr.exe 1476 vpodhoetlylzfwd.exe 1020 hbfzgvve.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 2032 hbfzgvve.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Loads dropped DLL 6 IoCs
pid Process 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1636 cmd.exe 268 rvfadgwnkr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" rvfadgwnkr.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run vpodhoetlylzfwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\csimyrbm = "rvfadgwnkr.exe" vpodhoetlylzfwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yxpadibe = "vpodhoetlylzfwd.exe" vpodhoetlylzfwd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "sulhwtpcrfcml.exe" vpodhoetlylzfwd.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\g: rvfadgwnkr.exe File opened (read-only) \??\m: hbfzgvve.exe File opened (read-only) \??\l: hbfzgvve.exe File opened (read-only) \??\p: rvfadgwnkr.exe File opened (read-only) \??\p: hbfzgvve.exe File opened (read-only) \??\x: hbfzgvve.exe File opened (read-only) \??\j: hbfzgvve.exe File opened (read-only) \??\r: hbfzgvve.exe File opened (read-only) \??\z: hbfzgvve.exe File opened (read-only) \??\g: hbfzgvve.exe File opened (read-only) \??\m: hbfzgvve.exe File opened (read-only) \??\n: rvfadgwnkr.exe File opened (read-only) \??\v: rvfadgwnkr.exe File opened (read-only) \??\y: rvfadgwnkr.exe File opened (read-only) \??\z: rvfadgwnkr.exe File opened (read-only) \??\u: hbfzgvve.exe File opened (read-only) \??\t: rvfadgwnkr.exe File opened (read-only) \??\i: hbfzgvve.exe File opened (read-only) \??\o: rvfadgwnkr.exe File opened (read-only) \??\n: hbfzgvve.exe File opened (read-only) \??\f: hbfzgvve.exe File opened (read-only) \??\b: rvfadgwnkr.exe File opened (read-only) \??\s: rvfadgwnkr.exe File opened (read-only) \??\b: hbfzgvve.exe File opened (read-only) \??\l: hbfzgvve.exe File opened (read-only) \??\o: hbfzgvve.exe File opened (read-only) \??\w: hbfzgvve.exe File opened (read-only) \??\y: hbfzgvve.exe File opened (read-only) \??\r: hbfzgvve.exe File opened (read-only) \??\a: rvfadgwnkr.exe File opened (read-only) \??\f: hbfzgvve.exe File opened (read-only) \??\h: hbfzgvve.exe File opened (read-only) \??\a: hbfzgvve.exe File opened (read-only) \??\i: rvfadgwnkr.exe File opened (read-only) \??\l: rvfadgwnkr.exe File opened (read-only) \??\x: rvfadgwnkr.exe File opened (read-only) \??\k: rvfadgwnkr.exe File opened (read-only) \??\k: hbfzgvve.exe File opened (read-only) \??\t: hbfzgvve.exe File opened (read-only) \??\j: hbfzgvve.exe File opened (read-only) \??\m: rvfadgwnkr.exe File opened (read-only) \??\q: rvfadgwnkr.exe File opened (read-only) \??\s: hbfzgvve.exe File opened (read-only) \??\g: hbfzgvve.exe File opened (read-only) \??\i: hbfzgvve.exe File opened (read-only) \??\e: hbfzgvve.exe File opened (read-only) \??\u: hbfzgvve.exe File opened (read-only) \??\h: rvfadgwnkr.exe File opened (read-only) \??\r: rvfadgwnkr.exe File opened (read-only) \??\u: rvfadgwnkr.exe File opened (read-only) \??\s: hbfzgvve.exe File opened (read-only) \??\w: hbfzgvve.exe File opened (read-only) \??\y: hbfzgvve.exe File opened (read-only) \??\f: rvfadgwnkr.exe File opened (read-only) \??\a: hbfzgvve.exe File opened (read-only) \??\o: hbfzgvve.exe File opened (read-only) \??\n: hbfzgvve.exe File opened (read-only) \??\p: hbfzgvve.exe File opened (read-only) \??\v: hbfzgvve.exe File opened (read-only) \??\w: rvfadgwnkr.exe File opened (read-only) \??\e: hbfzgvve.exe File opened (read-only) \??\t: hbfzgvve.exe File opened (read-only) \??\z: hbfzgvve.exe File opened (read-only) \??\e: rvfadgwnkr.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" rvfadgwnkr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" rvfadgwnkr.exe -
AutoIT Executable 26 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1200-55-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x0008000000005c51-56.dat autoit_exe behavioral1/files/0x0008000000005c51-58.dat autoit_exe behavioral1/files/0x0009000000013482-61.dat autoit_exe behavioral1/files/0x0008000000005c51-62.dat autoit_exe behavioral1/files/0x0009000000013482-64.dat autoit_exe behavioral1/files/0x0008000000013a09-67.dat autoit_exe behavioral1/files/0x0009000000013482-68.dat autoit_exe behavioral1/files/0x0007000000013a31-71.dat autoit_exe behavioral1/files/0x0008000000013a09-70.dat autoit_exe behavioral1/files/0x0007000000013a31-74.dat autoit_exe behavioral1/files/0x0007000000013a31-77.dat autoit_exe behavioral1/files/0x0007000000013a31-79.dat autoit_exe behavioral1/files/0x0007000000013a31-81.dat autoit_exe behavioral1/files/0x0008000000013a09-85.dat autoit_exe behavioral1/files/0x0008000000013a09-84.dat autoit_exe behavioral1/files/0x0008000000013a09-87.dat autoit_exe behavioral1/files/0x00060000000142d7-99.dat autoit_exe behavioral1/files/0x0006000000014486-100.dat autoit_exe behavioral1/files/0x000600000001448d-101.dat autoit_exe behavioral1/files/0x00060000000144ba-102.dat autoit_exe behavioral1/files/0x00060000000144ba-103.dat autoit_exe behavioral1/files/0x000600000001460b-104.dat autoit_exe behavioral1/files/0x000600000001468b-105.dat autoit_exe behavioral1/files/0x000600000001468b-106.dat autoit_exe behavioral1/files/0x00060000000146af-107.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll rvfadgwnkr.exe File created C:\Windows\SysWOW64\rvfadgwnkr.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File opened for modification C:\Windows\SysWOW64\rvfadgwnkr.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File created C:\Windows\SysWOW64\vpodhoetlylzfwd.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File opened for modification C:\Windows\SysWOW64\sulhwtpcrfcml.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File opened for modification C:\Windows\SysWOW64\vpodhoetlylzfwd.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File created C:\Windows\SysWOW64\hbfzgvve.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File opened for modification C:\Windows\SysWOW64\hbfzgvve.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File created C:\Windows\SysWOW64\sulhwtpcrfcml.exe 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files\SubmitExpand.doc.exe hbfzgvve.exe File opened for modification C:\Program Files\SubmitExpand.nal hbfzgvve.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hbfzgvve.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hbfzgvve.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hbfzgvve.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hbfzgvve.exe File opened for modification C:\Program Files\SubmitExpand.doc.exe hbfzgvve.exe File opened for modification \??\c:\Program Files\SubmitExpand.doc.exe hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hbfzgvve.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe hbfzgvve.exe File created \??\c:\Program Files\SubmitExpand.doc.exe hbfzgvve.exe File opened for modification C:\Program Files\SubmitExpand.nal hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hbfzgvve.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal hbfzgvve.exe File opened for modification \??\c:\Program Files\SubmitExpand.doc.exe hbfzgvve.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hbfzgvve.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe hbfzgvve.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" rvfadgwnkr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg rvfadgwnkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFC82482C85199046D6587E95BDEEE630594167446333D798" 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412D7E9C5683276A4176D777212CA97D8565DB" 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C77914E2DAC5B8C07C92EDE734CC" 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" rvfadgwnkr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1156 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 2032 hbfzgvve.exe 2032 hbfzgvve.exe 2032 hbfzgvve.exe 2032 hbfzgvve.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1020 hbfzgvve.exe 1020 hbfzgvve.exe 1020 hbfzgvve.exe 1020 hbfzgvve.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 1476 vpodhoetlylzfwd.exe 632 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 1476 vpodhoetlylzfwd.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: 33 1988 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1988 AUDIODG.EXE Token: 33 1988 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1988 AUDIODG.EXE Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 656 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe Token: SeShutdownPrivilege 1544 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 632 sulhwtpcrfcml.exe 2032 hbfzgvve.exe 2032 hbfzgvve.exe 2032 hbfzgvve.exe 1020 hbfzgvve.exe 1020 hbfzgvve.exe 1020 hbfzgvve.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 268 rvfadgwnkr.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1476 vpodhoetlylzfwd.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 1468 sulhwtpcrfcml.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 656 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe 1544 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1156 WINWORD.EXE 1156 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1200 wrote to memory of 268 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 27 PID 1200 wrote to memory of 268 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 27 PID 1200 wrote to memory of 268 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 27 PID 1200 wrote to memory of 268 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 27 PID 1200 wrote to memory of 1476 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 28 PID 1200 wrote to memory of 1476 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 28 PID 1200 wrote to memory of 1476 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 28 PID 1200 wrote to memory of 1476 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 28 PID 1200 wrote to memory of 1020 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 29 PID 1200 wrote to memory of 1020 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 29 PID 1200 wrote to memory of 1020 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 29 PID 1200 wrote to memory of 1020 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 29 PID 1200 wrote to memory of 1468 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 30 PID 1200 wrote to memory of 1468 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 30 PID 1200 wrote to memory of 1468 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 30 PID 1200 wrote to memory of 1468 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 30 PID 1476 wrote to memory of 1636 1476 vpodhoetlylzfwd.exe 31 PID 1476 wrote to memory of 1636 1476 vpodhoetlylzfwd.exe 31 PID 1476 wrote to memory of 1636 1476 vpodhoetlylzfwd.exe 31 PID 1476 wrote to memory of 1636 1476 vpodhoetlylzfwd.exe 31 PID 1636 wrote to memory of 632 1636 cmd.exe 33 PID 1636 wrote to memory of 632 1636 cmd.exe 33 PID 1636 wrote to memory of 632 1636 cmd.exe 33 PID 1636 wrote to memory of 632 1636 cmd.exe 33 PID 268 wrote to memory of 2032 268 rvfadgwnkr.exe 34 PID 268 wrote to memory of 2032 268 rvfadgwnkr.exe 34 PID 268 wrote to memory of 2032 268 rvfadgwnkr.exe 34 PID 268 wrote to memory of 2032 268 rvfadgwnkr.exe 34 PID 1200 wrote to memory of 1156 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 35 PID 1200 wrote to memory of 1156 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 35 PID 1200 wrote to memory of 1156 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 35 PID 1200 wrote to memory of 1156 1200 8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe"C:\Users\Admin\AppData\Local\Temp\8c1d9f4b035fca2cbaf79983b8874b44daa55587134b06f9f4a521e2cec0e739.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\rvfadgwnkr.exervfadgwnkr.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\hbfzgvve.exeC:\Windows\system32\hbfzgvve.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2032
-
-
-
C:\Windows\SysWOW64\vpodhoetlylzfwd.exevpodhoetlylzfwd.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\cmd.execmd.exe /c sulhwtpcrfcml.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\sulhwtpcrfcml.exesulhwtpcrfcml.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:632
-
-
-
-
C:\Windows\SysWOW64\hbfzgvve.exehbfzgvve.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1020
-
-
C:\Windows\SysWOW64\sulhwtpcrfcml.exesulhwtpcrfcml.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1468
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:656
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1544
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5ee80af2f28984ee6706cc44b3c4934de
SHA16b4b1ce8b99b943e4e2a0f57a2307638e4969a28
SHA2561ef1e83892406d5b7fbcf48f9f65f30efa911fedd70330bfcd109647805f041c
SHA5123414c44ca8ddac283175cbcdefd4f3efa7705b587783c3e5e041a8eb0f1dc3fc0b5125e9151b30c2dd16ec58435649fe172dbd2c39e7385b055bd58beef3827f
-
Filesize
512KB
MD5502a78dea33de1b7021b5fe1cd0f97c2
SHA112003137f85f751b8c359f2e497f745662cbc24e
SHA256df234ffcc36abca9baee2299ac41296ab1d6a7e54e06359ea00d48091bdbff81
SHA51248e8bff7a267f62cad241336daedc0c6a1cee0704115ef64213ed507e2387e80aed165afebc42e44f5bece835825dab21a2302ef7269253101bed58e5ea20f37
-
Filesize
512KB
MD5026e1f9b3a4b5ca0b7e8684189332456
SHA14b00bc722848e457454c7eb444eb50f70d20099c
SHA25651a72a9b2577fda31297f7d1ec7b8958b53a3393f343ad9ccd8e13c59b53e92f
SHA5123cb084a4d7bc95aa079c6b4c1e7559b80994e185f2c6ba1a5e18119ec182aa4c48145b2813a96e6daf667e9361b31de6600da7a8a6447443fe3af65cc6ef6869
-
Filesize
512KB
MD51540fcab07a37be400c08db6e81cff3e
SHA1e08a6f161a2ba165957ddbe2d3a6243679f8ff1b
SHA2561f5446c8a90cc15810989d63689cfaf6625a5aca63af285e5f519e0b469fc635
SHA5129e075202d3882464eab05e33020ae62cdcec03b16d1c69b25781699e13b7a5d39b5b1c06dd4b2c72e302988839056ea693c46ed9fa94591946205e05e644942a
-
Filesize
512KB
MD5c3102e204cb3684f65a4ebc6de0788aa
SHA15ed10d4c6d2bb3eb6c38422e9fe8e581c185b39c
SHA256df4115a935d5a92c55ed4d8b3c64aed5d675c02234cfefc54fbaa83ffc44296d
SHA51238f3d6d262e07551a1f9b260f1ad048b4eef2cf8dd509bed653bd96c577a7b4d6a8377a642af5aa5e61cad451ce26893a56c2e6c8b3eb2a10f3adafc5c4c8568
-
Filesize
512KB
MD5854c1cc0045f1b27e52f5aa10f9c32c6
SHA1d37b8258dfc3fa66696d7e6ed717bf2fb884e811
SHA2561a9eb23287288e2dd45ac26d0d61a7cc900ec905d767386ff67b0170f7e9ef54
SHA5127570b2c5878c584b356200c1d55d392fd0e06e9e429d8feaea2552dcf433eb4c3033aeda218b6b979e748ed3b3e67899a10ca1c1200ead7c2d707e4f392badd4
-
Filesize
512KB
MD5854c1cc0045f1b27e52f5aa10f9c32c6
SHA1d37b8258dfc3fa66696d7e6ed717bf2fb884e811
SHA2561a9eb23287288e2dd45ac26d0d61a7cc900ec905d767386ff67b0170f7e9ef54
SHA5127570b2c5878c584b356200c1d55d392fd0e06e9e429d8feaea2552dcf433eb4c3033aeda218b6b979e748ed3b3e67899a10ca1c1200ead7c2d707e4f392badd4
-
Filesize
512KB
MD5c47ea5a297bc195f9e6684da5a18269c
SHA1f0a2c4796420a009bbaabbe5f33ea3eaf8d32d05
SHA256b66438529118a6d4d318f23c3b51196a59fc306dd0a8aad782b8cfba9d3bf617
SHA5123c0b3e7c5ee8efe8080f85ec7abd8c5eb56b1ea80f8c19a2f6fcb7495aa1478cec9623d704c88f45ae66d1239d1dd0bb61aef7cea4a4cc20e78728d124214686
-
Filesize
512KB
MD50490f1084f82690b9bd2a90c79ff765a
SHA12012bbc0cfb00fce495761e967d128837a1c126e
SHA256f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86
SHA51242019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f
-
Filesize
512KB
MD50490f1084f82690b9bd2a90c79ff765a
SHA12012bbc0cfb00fce495761e967d128837a1c126e
SHA256f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86
SHA51242019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f
-
Filesize
512KB
MD50490f1084f82690b9bd2a90c79ff765a
SHA12012bbc0cfb00fce495761e967d128837a1c126e
SHA256f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86
SHA51242019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f
-
Filesize
512KB
MD5d246efcae62704261a7915337ebd3d1c
SHA1b2f310c66cac3311c7970f397fc8a142576afa72
SHA2565c7f0b01ee7774311ff354350cd1e0fbc9a9b565df46176055ad4b84c33b78dd
SHA512d29d36d8abd579c2c03de7e71a82cdd86b46d03c94383cc1db9c969b75ff2b79a4a3b01ffd552e01bb51ca269173056584c79d5099f70ac1927eaeb07fd97347
-
Filesize
512KB
MD5d246efcae62704261a7915337ebd3d1c
SHA1b2f310c66cac3311c7970f397fc8a142576afa72
SHA2565c7f0b01ee7774311ff354350cd1e0fbc9a9b565df46176055ad4b84c33b78dd
SHA512d29d36d8abd579c2c03de7e71a82cdd86b46d03c94383cc1db9c969b75ff2b79a4a3b01ffd552e01bb51ca269173056584c79d5099f70ac1927eaeb07fd97347
-
Filesize
512KB
MD5baa5a714e5286868e57eabd353779a29
SHA1e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912
SHA2563b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631
SHA512f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4
-
Filesize
512KB
MD5baa5a714e5286868e57eabd353779a29
SHA1e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912
SHA2563b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631
SHA512f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4
-
Filesize
512KB
MD5baa5a714e5286868e57eabd353779a29
SHA1e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912
SHA2563b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631
SHA512f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4
-
Filesize
512KB
MD547ebe80146dc45f2ef51d1a30a680d1a
SHA11a06f68e58c0ddf61b1bfb8713c30a206b9501a1
SHA256461d40efe1a8d8eafaaab9d65e8eefd224e3e2f6453a0fbc4462d39e61a74b5e
SHA5127b15d16ace191011264056583e7c20cf714ac712ad87124dd54b94c12d30286bd8148fb221464cc6d6347b9e927d39448230425ddc2f1e143d159661ea52d65d
-
Filesize
512KB
MD547ebe80146dc45f2ef51d1a30a680d1a
SHA11a06f68e58c0ddf61b1bfb8713c30a206b9501a1
SHA256461d40efe1a8d8eafaaab9d65e8eefd224e3e2f6453a0fbc4462d39e61a74b5e
SHA5127b15d16ace191011264056583e7c20cf714ac712ad87124dd54b94c12d30286bd8148fb221464cc6d6347b9e927d39448230425ddc2f1e143d159661ea52d65d
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD51540fcab07a37be400c08db6e81cff3e
SHA1e08a6f161a2ba165957ddbe2d3a6243679f8ff1b
SHA2561f5446c8a90cc15810989d63689cfaf6625a5aca63af285e5f519e0b469fc635
SHA5129e075202d3882464eab05e33020ae62cdcec03b16d1c69b25781699e13b7a5d39b5b1c06dd4b2c72e302988839056ea693c46ed9fa94591946205e05e644942a
-
Filesize
512KB
MD50490f1084f82690b9bd2a90c79ff765a
SHA12012bbc0cfb00fce495761e967d128837a1c126e
SHA256f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86
SHA51242019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f
-
Filesize
512KB
MD50490f1084f82690b9bd2a90c79ff765a
SHA12012bbc0cfb00fce495761e967d128837a1c126e
SHA256f2696f79cb26296c925f74d3092576522d532850287de56d55584dd78716ec86
SHA51242019a228ff4beefc04a36dd6728333dc02af7363eeeca6fab5da8e88967a84fd2ad4a20676e6d86465adf0a47841b2ba0308f0beec0802dfc5022c12462674f
-
Filesize
512KB
MD5d246efcae62704261a7915337ebd3d1c
SHA1b2f310c66cac3311c7970f397fc8a142576afa72
SHA2565c7f0b01ee7774311ff354350cd1e0fbc9a9b565df46176055ad4b84c33b78dd
SHA512d29d36d8abd579c2c03de7e71a82cdd86b46d03c94383cc1db9c969b75ff2b79a4a3b01ffd552e01bb51ca269173056584c79d5099f70ac1927eaeb07fd97347
-
Filesize
512KB
MD5baa5a714e5286868e57eabd353779a29
SHA1e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912
SHA2563b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631
SHA512f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4
-
Filesize
512KB
MD5baa5a714e5286868e57eabd353779a29
SHA1e7cf1411ffb3e93c63e96cdb7cef3a9f3e966912
SHA2563b25802104acbfb28f9efc36a1b4846117bb4c07bea4e8420793d240202c0631
SHA512f98e2fad02cd9493845bd4e52398f972d232dea5bc9bad6d1b83e18c37d96322469d3ba3cfa72bee1776270681bee980169eff8638dda135070bc53bacc32eb4
-
Filesize
512KB
MD547ebe80146dc45f2ef51d1a30a680d1a
SHA11a06f68e58c0ddf61b1bfb8713c30a206b9501a1
SHA256461d40efe1a8d8eafaaab9d65e8eefd224e3e2f6453a0fbc4462d39e61a74b5e
SHA5127b15d16ace191011264056583e7c20cf714ac712ad87124dd54b94c12d30286bd8148fb221464cc6d6347b9e927d39448230425ddc2f1e143d159661ea52d65d