9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6

Analysis

max time kernel
154s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
Size

255KB
MD5

02ae9753ce806ffeb5ce51acafbecba1
SHA1

9348aeb1b26556db5de9f94fd2931615c8cef86b
SHA256

9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6
SHA512

0cbed35394f4b81bb56dbda507ad548cba5097665df4acb7440f4332d5d2faf619b9ea4d415b5fdf3dc1449045f064e69b67462ff5208ca8dd153a700ae25e97
SSDEEP

6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6l:Plf5j6zCNa0xeE3my

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	jpvoqisbdh.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jpvoqisbdh.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jpvoqisbdh.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jpvoqisbdh.exe

Executes dropped EXE 5 IoCs

pid	Process
1480	jpvoqisbdh.exe
1196	fabbtwkqbrluhyp.exe
2024	durzvgff.exe
1516	wsydqptkwymkc.exe
528	durzvgff.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1476-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-56.dat	upx
behavioral1/memory/1476-57-0x00000000023A0000-0x0000000002440000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-60.dat	upx
behavioral1/files/0x000a0000000122b9-59.dat	upx
behavioral1/files/0x00090000000122bd-63.dat	upx
behavioral1/files/0x000a0000000122b9-65.dat	upx
behavioral1/files/0x0007000000005c50-67.dat	upx
behavioral1/files/0x00090000000122bd-69.dat	upx
behavioral1/files/0x00090000000122c0-68.dat	upx
behavioral1/files/0x00090000000122c0-72.dat	upx
behavioral1/memory/1480-73-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1196-75-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1516-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2024-76-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000a0000000122b9-80.dat	upx
behavioral1/files/0x00090000000122bd-79.dat	upx
behavioral1/files/0x00090000000122c0-81.dat	upx
behavioral1/files/0x00090000000122bd-82.dat	upx
behavioral1/files/0x00090000000122bd-84.dat	upx
behavioral1/memory/528-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1476-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00020000000001bf-89.dat	upx
behavioral1/memory/1480-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1196-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1516-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2024-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/528-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0008000000012301-105.dat	upx
behavioral1/files/0x0008000000012301-106.dat	upx
behavioral1/files/0x0008000000012301-104.dat	upx
behavioral1/files/0x000800000001230f-107.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1480	jpvoqisbdh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jpvoqisbdh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	fabbtwkqbrluhyp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\laitknvl = "jpvoqisbdh.exe"	fabbtwkqbrluhyp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrhgrjf = "fabbtwkqbrluhyp.exe"	fabbtwkqbrluhyp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wsydqptkwymkc.exe"	fabbtwkqbrluhyp.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	jpvoqisbdh.exe
File opened (read-only)	\??\n:	jpvoqisbdh.exe
File opened (read-only)	\??\k:	durzvgff.exe
File opened (read-only)	\??\n:	durzvgff.exe
File opened (read-only)	\??\f:	jpvoqisbdh.exe
File opened (read-only)	\??\s:	jpvoqisbdh.exe
File opened (read-only)	\??\w:	jpvoqisbdh.exe
File opened (read-only)	\??\g:	durzvgff.exe
File opened (read-only)	\??\i:	jpvoqisbdh.exe
File opened (read-only)	\??\a:	durzvgff.exe
File opened (read-only)	\??\m:	durzvgff.exe
File opened (read-only)	\??\z:	durzvgff.exe
File opened (read-only)	\??\s:	durzvgff.exe
File opened (read-only)	\??\j:	jpvoqisbdh.exe
File opened (read-only)	\??\k:	jpvoqisbdh.exe
File opened (read-only)	\??\x:	jpvoqisbdh.exe
File opened (read-only)	\??\u:	durzvgff.exe
File opened (read-only)	\??\y:	durzvgff.exe
File opened (read-only)	\??\e:	jpvoqisbdh.exe
File opened (read-only)	\??\m:	jpvoqisbdh.exe
File opened (read-only)	\??\o:	jpvoqisbdh.exe
File opened (read-only)	\??\y:	jpvoqisbdh.exe
File opened (read-only)	\??\z:	jpvoqisbdh.exe
File opened (read-only)	\??\r:	durzvgff.exe
File opened (read-only)	\??\u:	jpvoqisbdh.exe
File opened (read-only)	\??\i:	durzvgff.exe
File opened (read-only)	\??\q:	durzvgff.exe
File opened (read-only)	\??\t:	durzvgff.exe
File opened (read-only)	\??\g:	durzvgff.exe
File opened (read-only)	\??\h:	jpvoqisbdh.exe
File opened (read-only)	\??\j:	durzvgff.exe
File opened (read-only)	\??\r:	durzvgff.exe
File opened (read-only)	\??\t:	durzvgff.exe
File opened (read-only)	\??\p:	jpvoqisbdh.exe
File opened (read-only)	\??\x:	durzvgff.exe
File opened (read-only)	\??\y:	durzvgff.exe
File opened (read-only)	\??\k:	durzvgff.exe
File opened (read-only)	\??\m:	durzvgff.exe
File opened (read-only)	\??\q:	jpvoqisbdh.exe
File opened (read-only)	\??\v:	durzvgff.exe
File opened (read-only)	\??\b:	durzvgff.exe
File opened (read-only)	\??\x:	durzvgff.exe
File opened (read-only)	\??\e:	durzvgff.exe
File opened (read-only)	\??\w:	durzvgff.exe
File opened (read-only)	\??\a:	durzvgff.exe
File opened (read-only)	\??\u:	durzvgff.exe
File opened (read-only)	\??\z:	durzvgff.exe
File opened (read-only)	\??\l:	durzvgff.exe
File opened (read-only)	\??\a:	jpvoqisbdh.exe
File opened (read-only)	\??\b:	jpvoqisbdh.exe
File opened (read-only)	\??\p:	durzvgff.exe
File opened (read-only)	\??\w:	durzvgff.exe
File opened (read-only)	\??\n:	durzvgff.exe
File opened (read-only)	\??\q:	durzvgff.exe
File opened (read-only)	\??\g:	jpvoqisbdh.exe
File opened (read-only)	\??\l:	durzvgff.exe
File opened (read-only)	\??\f:	durzvgff.exe
File opened (read-only)	\??\o:	durzvgff.exe
File opened (read-only)	\??\v:	durzvgff.exe
File opened (read-only)	\??\t:	jpvoqisbdh.exe
File opened (read-only)	\??\b:	durzvgff.exe
File opened (read-only)	\??\h:	durzvgff.exe
File opened (read-only)	\??\o:	durzvgff.exe
File opened (read-only)	\??\i:	durzvgff.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	jpvoqisbdh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	jpvoqisbdh.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1476-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1480-73-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1196-75-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2024-76-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/528-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1476-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1480-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1196-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1516-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2024-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/528-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jpvoqisbdh.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File created	C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File opened for modification	C:\Windows\SysWOW64\durzvgff.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File opened for modification	C:\Windows\SysWOW64\wsydqptkwymkc.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	jpvoqisbdh.exe
File opened for modification	C:\Windows\SysWOW64\jpvoqisbdh.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File opened for modification	C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File created	C:\Windows\SysWOW64\durzvgff.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File created	C:\Windows\SysWOW64\wsydqptkwymkc.exe	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	durzvgff.exe
File created	\??\c:\Program Files\DenyExport.doc.exe	durzvgff.exe
File opened for modification	C:\Program Files\DenyExport.doc.exe	durzvgff.exe
File opened for modification	C:\Program Files\DenyExport.nal	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	durzvgff.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	durzvgff.exe
File opened for modification	C:\Program Files\DenyExport.doc.exe	durzvgff.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	durzvgff.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	durzvgff.exe
File opened for modification	\??\c:\Program Files\DenyExport.doc.exe	durzvgff.exe
File opened for modification	C:\Program Files\DenyExport.nal	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	durzvgff.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	durzvgff.exe
File opened for modification	\??\c:\Program Files\DenyExport.doc.exe	durzvgff.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	durzvgff.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	durzvgff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	durzvgff.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	durzvgff.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02F449738E852C8BAD53293D7B9"	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	jpvoqisbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	jpvoqisbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D789D5683506D4676A077252CDC7DF364A8"	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67514E0DAB3B8BA7FE6ED9434CF"	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	jpvoqisbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
288	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
2024	durzvgff.exe
2024	durzvgff.exe
2024	durzvgff.exe
2024	durzvgff.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
528	durzvgff.exe
528	durzvgff.exe
528	durzvgff.exe
528	durzvgff.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1196	fabbtwkqbrluhyp.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
2024	durzvgff.exe
2024	durzvgff.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
2024	durzvgff.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
528	durzvgff.exe
528	durzvgff.exe
528	durzvgff.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
1480	jpvoqisbdh.exe
2024	durzvgff.exe
2024	durzvgff.exe
1196	fabbtwkqbrluhyp.exe
1196	fabbtwkqbrluhyp.exe
2024	durzvgff.exe
1196	fabbtwkqbrluhyp.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
1516	wsydqptkwymkc.exe
528	durzvgff.exe
528	durzvgff.exe
528	durzvgff.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
288	WINWORD.EXE
288	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1480	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	27
PID 1476 wrote to memory of 1480	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	27
PID 1476 wrote to memory of 1480	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	27
PID 1476 wrote to memory of 1480	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	27
PID 1476 wrote to memory of 1196	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	28
PID 1476 wrote to memory of 1196	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	28
PID 1476 wrote to memory of 1196	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	28
PID 1476 wrote to memory of 1196	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	28
PID 1476 wrote to memory of 2024	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	29
PID 1476 wrote to memory of 2024	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	29
PID 1476 wrote to memory of 2024	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	29
PID 1476 wrote to memory of 2024	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	29
PID 1476 wrote to memory of 1516	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	30
PID 1476 wrote to memory of 1516	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	30
PID 1476 wrote to memory of 1516	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	30
PID 1476 wrote to memory of 1516	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	30
PID 1480 wrote to memory of 528	1480	jpvoqisbdh.exe	31
PID 1480 wrote to memory of 528	1480	jpvoqisbdh.exe	31
PID 1480 wrote to memory of 528	1480	jpvoqisbdh.exe	31
PID 1480 wrote to memory of 528	1480	jpvoqisbdh.exe	31
PID 1476 wrote to memory of 288	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	32
PID 1476 wrote to memory of 288	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	32
PID 1476 wrote to memory of 288	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	32
PID 1476 wrote to memory of 288	1476	9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe	32
PID 288 wrote to memory of 976	288	WINWORD.EXE	36
PID 288 wrote to memory of 976	288	WINWORD.EXE	36
PID 288 wrote to memory of 976	288	WINWORD.EXE	36
PID 288 wrote to memory of 976	288	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
"C:\Users\Admin\AppData\Local\Temp\9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\jpvoqisbdh.exe
  jpvoqisbdh.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\durzvgff.exe
    C:\Windows\system32\durzvgff.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:528
- C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe
  fabbtwkqbrluhyp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1196
- C:\Windows\SysWOW64\durzvgff.exe
  durzvgff.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2024
- C:\Windows\SysWOW64\wsydqptkwymkc.exe
  wsydqptkwymkc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1516
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
e357c393c85d5013a1da5ced0d79f7fa

SHA1
b3ec2c8f21f38ecaae699fb087fb36e098611aa8

SHA256
b2a61a579d2811881d75cb41833d03b9bd42ce44f1b84a62c950e7ecea93fbde

SHA512
85cba0f67ddae1020374a6143b1a7858b4535047b5d09ac0ffb3ab5a2d3bc89c3bf9c2b55dcdda5539e425c0d017bebcec143a91ea04cf224209524359ba4a35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
e357c393c85d5013a1da5ced0d79f7fa

SHA1
b3ec2c8f21f38ecaae699fb087fb36e098611aa8

SHA256
b2a61a579d2811881d75cb41833d03b9bd42ce44f1b84a62c950e7ecea93fbde

SHA512
85cba0f67ddae1020374a6143b1a7858b4535047b5d09ac0ffb3ab5a2d3bc89c3bf9c2b55dcdda5539e425c0d017bebcec143a91ea04cf224209524359ba4a35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
6e5daef8bd107fcd1b66e8c71dc73b0f

SHA1
4905343b2178a0c7ddffafab54d87e5c168531f3

SHA256
e8f504e362c44c47cbf5643757cbab0a360af0dbaa304e49f86be343e7514470

SHA512
eee810857af4665457b35aa5debaf9b5acfdbbd86ab7ef1784e44c4baeaff5c49251bbe94a2a1dd6960516f6357d710eb06260602196d8be41655fb982821554

Download Submit
C:\Windows\SysWOW64\durzvgff.exe

Filesize
255KB

MD5
fb8608024cd284405798e3c9f99d50e4

SHA1
1665b248103ebadbe5ab0bbb809f633d060afe4a

SHA256
f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62

SHA512
e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b

Download Submit
C:\Windows\SysWOW64\durzvgff.exe

Filesize
255KB

MD5
fb8608024cd284405798e3c9f99d50e4

SHA1
1665b248103ebadbe5ab0bbb809f633d060afe4a

SHA256
f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62

SHA512
e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b

Download Submit
C:\Windows\SysWOW64\durzvgff.exe

Filesize
255KB

MD5
fb8608024cd284405798e3c9f99d50e4

SHA1
1665b248103ebadbe5ab0bbb809f633d060afe4a

SHA256
f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62

SHA512
e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b

Download Submit
C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe

Filesize
255KB

MD5
bd5301844b09c2e89399e48680417f6c

SHA1
d30eaa8b60579e9ee663441675774f77e4677948

SHA256
ded9342d8249110b5c1401a50620f4e7dd43f5a64ea8ffc11cb873ee9950a62a

SHA512
4b0ac071f8d667ff11f9a501cc4d026e44531f3a98c55fea9cc42644f30059af6ec28c7f140e57d74319d99a6b875644ff5c5aa142fce6ea596494200d8b39f6

Download Submit
C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe

Filesize
255KB

MD5
bd5301844b09c2e89399e48680417f6c

SHA1
d30eaa8b60579e9ee663441675774f77e4677948

SHA256
ded9342d8249110b5c1401a50620f4e7dd43f5a64ea8ffc11cb873ee9950a62a

SHA512
4b0ac071f8d667ff11f9a501cc4d026e44531f3a98c55fea9cc42644f30059af6ec28c7f140e57d74319d99a6b875644ff5c5aa142fce6ea596494200d8b39f6

Download Submit
C:\Windows\SysWOW64\jpvoqisbdh.exe

Filesize
255KB

MD5
d302e43f107fc9ba49ab79d116ef8258

SHA1
805ffb7b7e29aa89678d9693f2fb0fbbfd762499

SHA256
544af90bf0024fa1542590e0620b1d2af7c2dd6378ed2085408a204299c08b2b

SHA512
68f82f9cdc389886397a6fd685cea68158c846566b3d5b830efb06ae73b62110338f52a99089a6168f7499912b444d1b76e1f8bcec378b9312041d9d6520f43d

Download Submit
C:\Windows\SysWOW64\jpvoqisbdh.exe

Filesize
255KB

MD5
d302e43f107fc9ba49ab79d116ef8258

SHA1
805ffb7b7e29aa89678d9693f2fb0fbbfd762499

SHA256
544af90bf0024fa1542590e0620b1d2af7c2dd6378ed2085408a204299c08b2b

SHA512
68f82f9cdc389886397a6fd685cea68158c846566b3d5b830efb06ae73b62110338f52a99089a6168f7499912b444d1b76e1f8bcec378b9312041d9d6520f43d

Download Submit
C:\Windows\SysWOW64\wsydqptkwymkc.exe

Filesize
255KB

MD5
0dcc760fe874df40fa4b73513046719c

SHA1
9eb094534baf64ee04f4a786a7f01e6db486690b

SHA256
252f6bd281500785215255bc94ae7e5773533402def3ff6535cfd50cccbdca9e

SHA512
e4db156624c326630a84e5372be0bd9ccebeec01e6e0e298b8fcb6bddd2a6d7f13b41509adf9881dd8ad15c3a855738a4b887613d3869419520fab0a736ddcb8

Download Submit
C:\Windows\SysWOW64\wsydqptkwymkc.exe

Filesize
255KB

MD5
0dcc760fe874df40fa4b73513046719c

SHA1
9eb094534baf64ee04f4a786a7f01e6db486690b

SHA256
252f6bd281500785215255bc94ae7e5773533402def3ff6535cfd50cccbdca9e

SHA512
e4db156624c326630a84e5372be0bd9ccebeec01e6e0e298b8fcb6bddd2a6d7f13b41509adf9881dd8ad15c3a855738a4b887613d3869419520fab0a736ddcb8

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
e357c393c85d5013a1da5ced0d79f7fa

SHA1
b3ec2c8f21f38ecaae699fb087fb36e098611aa8

SHA256
b2a61a579d2811881d75cb41833d03b9bd42ce44f1b84a62c950e7ecea93fbde

SHA512
85cba0f67ddae1020374a6143b1a7858b4535047b5d09ac0ffb3ab5a2d3bc89c3bf9c2b55dcdda5539e425c0d017bebcec143a91ea04cf224209524359ba4a35

Download Submit
\??\c:\Program Files\DenyExport.doc.exe

Filesize
255KB

MD5
37c001940e6eeb1e0b9b0fb6daa0b817

SHA1
c12e06fba131c39b74869106e2ddda58ad49c3bf

SHA256
4544d91c55f46649b78905bac206ccbbb024b12c4c9ed1639e6685451bbff9d9

SHA512
695f71da62299712fe21932c14e64eef35f02746ff27afeb1ad05f23c52fdac9393607ca7f317b2768d1f5e85358af2ff7989a47c9c509d9bbe8df3c76ce81d6

Download Submit
\Windows\SysWOW64\durzvgff.exe

Filesize
255KB

MD5
fb8608024cd284405798e3c9f99d50e4

SHA1
1665b248103ebadbe5ab0bbb809f633d060afe4a

SHA256
f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62

SHA512
e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b

Download Submit
\Windows\SysWOW64\durzvgff.exe

Filesize
255KB

MD5
fb8608024cd284405798e3c9f99d50e4

SHA1
1665b248103ebadbe5ab0bbb809f633d060afe4a

SHA256
f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62

SHA512
e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b

Download Submit
\Windows\SysWOW64\fabbtwkqbrluhyp.exe

Filesize
255KB

MD5
bd5301844b09c2e89399e48680417f6c

SHA1
d30eaa8b60579e9ee663441675774f77e4677948

SHA256
ded9342d8249110b5c1401a50620f4e7dd43f5a64ea8ffc11cb873ee9950a62a

SHA512
4b0ac071f8d667ff11f9a501cc4d026e44531f3a98c55fea9cc42644f30059af6ec28c7f140e57d74319d99a6b875644ff5c5aa142fce6ea596494200d8b39f6

Download Submit
\Windows\SysWOW64\jpvoqisbdh.exe

Filesize
255KB

MD5
d302e43f107fc9ba49ab79d116ef8258

SHA1
805ffb7b7e29aa89678d9693f2fb0fbbfd762499

SHA256
544af90bf0024fa1542590e0620b1d2af7c2dd6378ed2085408a204299c08b2b

SHA512
68f82f9cdc389886397a6fd685cea68158c846566b3d5b830efb06ae73b62110338f52a99089a6168f7499912b444d1b76e1f8bcec378b9312041d9d6520f43d

Download Submit
\Windows\SysWOW64\wsydqptkwymkc.exe

Filesize
255KB

MD5
0dcc760fe874df40fa4b73513046719c

SHA1
9eb094534baf64ee04f4a786a7f01e6db486690b

SHA256
252f6bd281500785215255bc94ae7e5773533402def3ff6535cfd50cccbdca9e

SHA512
e4db156624c326630a84e5372be0bd9ccebeec01e6e0e298b8fcb6bddd2a6d7f13b41509adf9881dd8ad15c3a855738a4b887613d3869419520fab0a736ddcb8

Download Submit
memory/288-101-0x0000000070B2D000-0x0000000070B38000-memory.dmp

Filesize
44KB

Download
memory/288-97-0x0000000070B2D000-0x0000000070B38000-memory.dmp

Filesize
44KB

Download
memory/288-109-0x0000000070B2D000-0x0000000070B38000-memory.dmp

Filesize
44KB

Download
memory/288-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/288-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/288-91-0x000000006FB41000-0x000000006FB43000-memory.dmp

Filesize
8KB

Download
memory/288-90-0x00000000720C1000-0x00000000720C4000-memory.dmp

Filesize
12KB

Download
memory/528-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/528-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/976-103-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1196-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1196-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1476-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1476-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1476-74-0x00000000023A0000-0x0000000002440000-memory.dmp

Filesize
640KB

Download
memory/1476-57-0x00000000023A0000-0x0000000002440000-memory.dmp

Filesize
640KB

Download
memory/1480-73-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1480-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1516-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1516-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2024-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2024-76-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download