7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606

Analysis

max time kernel
186s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
Size

255KB
MD5

78ea1e583aa099223934b0e9e03ce7f6
SHA1

b45cc23a899bb492e4687662b53c8b1c040a9cb0
SHA256

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606
SHA512

c27d8ed05c87b5c7dec91bb56da1718ed57b72d24b4c33eb11be7f586a5c95ca86d015d16d6da1cc4bc56a32c35728164b56a5db9ee1a1bdffbcd3d22d66eeb0
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJr:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIg

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

gwyejoqlvb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	gwyejoqlvb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

gwyejoqlvb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gwyejoqlvb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

gwyejoqlvb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gwyejoqlvb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

gwyejoqlvb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gwyejoqlvb.exe

Executes dropped EXE 5 IoCs

Processes:

gwyejoqlvb.exekmyrfcpfeqnaris.exeoehlsgjb.exezuegorhzroeej.exeoehlsgjb.exe

pid process

1316 gwyejoqlvb.exe
1068 kmyrfcpfeqnaris.exe
868 oehlsgjb.exe
1348 zuegorhzroeej.exe
328 oehlsgjb.exe

pid	process
1316	gwyejoqlvb.exe
1068	kmyrfcpfeqnaris.exe
868	oehlsgjb.exe
1348	zuegorhzroeej.exe
328	oehlsgjb.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1728-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\gwyejoqlvb.exe	upx
C:\Windows\SysWOW64\gwyejoqlvb.exe	upx
\Windows\SysWOW64\kmyrfcpfeqnaris.exe	upx
\Windows\SysWOW64\oehlsgjb.exe	upx
C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe	upx
C:\Windows\SysWOW64\gwyejoqlvb.exe	upx
C:\Windows\SysWOW64\oehlsgjb.exe	upx
\Windows\SysWOW64\zuegorhzroeej.exe	upx
behavioral1/memory/1316-70-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1068-72-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\zuegorhzroeej.exe	upx
C:\Windows\SysWOW64\oehlsgjb.exe	upx
C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe	upx
C:\Windows\SysWOW64\zuegorhzroeej.exe	upx
\Windows\SysWOW64\oehlsgjb.exe	upx
behavioral1/memory/1348-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\oehlsgjb.exe	upx
behavioral1/memory/328-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1728-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1316-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1068-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/868-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1348-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/328-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Users\Admin\AppData\Roaming\UnlockCompare.doc.exe	upx
C:\Users\Admin\Desktop\WatchClose.doc.exe	upx

Loads dropped DLL 5 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exe

pid	process
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1316	gwyejoqlvb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

gwyejoqlvb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gwyejoqlvb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

kmyrfcpfeqnaris.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kmyrfcpfeqnaris.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\chgasdpy = "gwyejoqlvb.exe"	kmyrfcpfeqnaris.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pjsncspo = "kmyrfcpfeqnaris.exe"	kmyrfcpfeqnaris.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zuegorhzroeej.exe"	kmyrfcpfeqnaris.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

oehlsgjb.exegwyejoqlvb.exeoehlsgjb.exe

description	ioc	process
File opened (read-only)	\??\s:	oehlsgjb.exe
File opened (read-only)	\??\x:	oehlsgjb.exe
File opened (read-only)	\??\o:	gwyejoqlvb.exe
File opened (read-only)	\??\g:	oehlsgjb.exe
File opened (read-only)	\??\i:	oehlsgjb.exe
File opened (read-only)	\??\b:	gwyejoqlvb.exe
File opened (read-only)	\??\m:	gwyejoqlvb.exe
File opened (read-only)	\??\t:	gwyejoqlvb.exe
File opened (read-only)	\??\y:	gwyejoqlvb.exe
File opened (read-only)	\??\f:	oehlsgjb.exe
File opened (read-only)	\??\j:	oehlsgjb.exe
File opened (read-only)	\??\v:	oehlsgjb.exe
File opened (read-only)	\??\r:	gwyejoqlvb.exe
File opened (read-only)	\??\r:	oehlsgjb.exe
File opened (read-only)	\??\z:	oehlsgjb.exe
File opened (read-only)	\??\i:	gwyejoqlvb.exe
File opened (read-only)	\??\k:	gwyejoqlvb.exe
File opened (read-only)	\??\t:	oehlsgjb.exe
File opened (read-only)	\??\l:	gwyejoqlvb.exe
File opened (read-only)	\??\b:	oehlsgjb.exe
File opened (read-only)	\??\v:	oehlsgjb.exe
File opened (read-only)	\??\w:	gwyejoqlvb.exe
File opened (read-only)	\??\e:	oehlsgjb.exe
File opened (read-only)	\??\f:	oehlsgjb.exe
File opened (read-only)	\??\n:	oehlsgjb.exe
File opened (read-only)	\??\b:	oehlsgjb.exe
File opened (read-only)	\??\u:	oehlsgjb.exe
File opened (read-only)	\??\w:	oehlsgjb.exe
File opened (read-only)	\??\e:	gwyejoqlvb.exe
File opened (read-only)	\??\j:	gwyejoqlvb.exe
File opened (read-only)	\??\a:	oehlsgjb.exe
File opened (read-only)	\??\z:	gwyejoqlvb.exe
File opened (read-only)	\??\m:	oehlsgjb.exe
File opened (read-only)	\??\x:	oehlsgjb.exe
File opened (read-only)	\??\y:	oehlsgjb.exe
File opened (read-only)	\??\a:	gwyejoqlvb.exe
File opened (read-only)	\??\h:	gwyejoqlvb.exe
File opened (read-only)	\??\j:	oehlsgjb.exe
File opened (read-only)	\??\l:	oehlsgjb.exe
File opened (read-only)	\??\n:	oehlsgjb.exe
File opened (read-only)	\??\f:	gwyejoqlvb.exe
File opened (read-only)	\??\p:	gwyejoqlvb.exe
File opened (read-only)	\??\u:	gwyejoqlvb.exe
File opened (read-only)	\??\v:	gwyejoqlvb.exe
File opened (read-only)	\??\g:	oehlsgjb.exe
File opened (read-only)	\??\q:	oehlsgjb.exe
File opened (read-only)	\??\s:	oehlsgjb.exe
File opened (read-only)	\??\i:	oehlsgjb.exe
File opened (read-only)	\??\o:	oehlsgjb.exe
File opened (read-only)	\??\r:	oehlsgjb.exe
File opened (read-only)	\??\y:	oehlsgjb.exe
File opened (read-only)	\??\n:	gwyejoqlvb.exe
File opened (read-only)	\??\q:	gwyejoqlvb.exe
File opened (read-only)	\??\h:	oehlsgjb.exe
File opened (read-only)	\??\l:	oehlsgjb.exe
File opened (read-only)	\??\q:	oehlsgjb.exe
File opened (read-only)	\??\a:	oehlsgjb.exe
File opened (read-only)	\??\p:	oehlsgjb.exe
File opened (read-only)	\??\z:	oehlsgjb.exe
File opened (read-only)	\??\t:	oehlsgjb.exe
File opened (read-only)	\??\g:	gwyejoqlvb.exe
File opened (read-only)	\??\s:	gwyejoqlvb.exe
File opened (read-only)	\??\k:	oehlsgjb.exe
File opened (read-only)	\??\m:	oehlsgjb.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

gwyejoqlvb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	gwyejoqlvb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	gwyejoqlvb.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1316-70-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1348-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/328-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1728-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1316-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1068-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/868-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1348-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/328-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\oehlsgjb.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File created	C:\Windows\SysWOW64\zuegorhzroeej.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File opened for modification	C:\Windows\SysWOW64\gwyejoqlvb.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File created	C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File created	C:\Windows\SysWOW64\oehlsgjb.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File opened for modification	C:\Windows\SysWOW64\zuegorhzroeej.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	gwyejoqlvb.exe
File created	C:\Windows\SysWOW64\gwyejoqlvb.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File opened for modification	C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe

Drops file in Program Files directory 15 IoCs

Processes:

oehlsgjb.exeoehlsgjb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	oehlsgjb.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oehlsgjb.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oehlsgjb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	oehlsgjb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oehlsgjb.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oehlsgjb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	oehlsgjb.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	oehlsgjb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oehlsgjb.exe

Drops file in Windows directory 5 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193FC67B14E1DAB5B8BE7FE7EC9E34C6"	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	gwyejoqlvb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	gwyejoqlvb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABEFAB9FE64F2E0830F3B42819B3997B08A038A43660338E2CC42E909A9"	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	gwyejoqlvb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

584 WINWORD.EXE

pid	process
584	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exeoehlsgjb.exekmyrfcpfeqnaris.exezuegorhzroeej.exeoehlsgjb.exe

pid	process
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
328	oehlsgjb.exe
328	oehlsgjb.exe
328	oehlsgjb.exe
328	oehlsgjb.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exeoehlsgjb.exekmyrfcpfeqnaris.exezuegorhzroeej.exeoehlsgjb.exe

pid	process
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
328	oehlsgjb.exe
328	oehlsgjb.exe
328	oehlsgjb.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exeoehlsgjb.exekmyrfcpfeqnaris.exezuegorhzroeej.exeoehlsgjb.exe

pid	process
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
1316	gwyejoqlvb.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
868	oehlsgjb.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1068	kmyrfcpfeqnaris.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
1348	zuegorhzroeej.exe
328	oehlsgjb.exe
328	oehlsgjb.exe
328	oehlsgjb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

584 WINWORD.EXE
584 WINWORD.EXE

pid	process
584	WINWORD.EXE
584	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exegwyejoqlvb.exeWINWORD.EXE

description	pid	process	target process
PID 1728 wrote to memory of 1316	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	gwyejoqlvb.exe
PID 1728 wrote to memory of 1316	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	gwyejoqlvb.exe
PID 1728 wrote to memory of 1316	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	gwyejoqlvb.exe
PID 1728 wrote to memory of 1316	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	gwyejoqlvb.exe
PID 1728 wrote to memory of 1068	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	kmyrfcpfeqnaris.exe
PID 1728 wrote to memory of 1068	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	kmyrfcpfeqnaris.exe
PID 1728 wrote to memory of 1068	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	kmyrfcpfeqnaris.exe
PID 1728 wrote to memory of 1068	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	kmyrfcpfeqnaris.exe
PID 1728 wrote to memory of 868	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	oehlsgjb.exe
PID 1728 wrote to memory of 868	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	oehlsgjb.exe
PID 1728 wrote to memory of 868	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	oehlsgjb.exe
PID 1728 wrote to memory of 868	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	oehlsgjb.exe
PID 1728 wrote to memory of 1348	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	zuegorhzroeej.exe
PID 1728 wrote to memory of 1348	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	zuegorhzroeej.exe
PID 1728 wrote to memory of 1348	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	zuegorhzroeej.exe
PID 1728 wrote to memory of 1348	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	zuegorhzroeej.exe
PID 1316 wrote to memory of 328	1316	gwyejoqlvb.exe	oehlsgjb.exe
PID 1316 wrote to memory of 328	1316	gwyejoqlvb.exe	oehlsgjb.exe
PID 1316 wrote to memory of 328	1316	gwyejoqlvb.exe	oehlsgjb.exe
PID 1316 wrote to memory of 328	1316	gwyejoqlvb.exe	oehlsgjb.exe
PID 1728 wrote to memory of 584	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	WINWORD.EXE
PID 1728 wrote to memory of 584	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	WINWORD.EXE
PID 1728 wrote to memory of 584	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	WINWORD.EXE
PID 1728 wrote to memory of 584	1728	7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe	WINWORD.EXE
PID 584 wrote to memory of 1980	584	WINWORD.EXE	splwow64.exe
PID 584 wrote to memory of 1980	584	WINWORD.EXE	splwow64.exe
PID 584 wrote to memory of 1980	584	WINWORD.EXE	splwow64.exe
PID 584 wrote to memory of 1980	584	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe
"C:\Users\Admin\AppData\Local\Temp\7460505c406472e17992c33deb228d2a9f0691c5f1f4062f8fb6d0ff5ef9b606.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\gwyejoqlvb.exe
gwyejoqlvb.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\oehlsgjb.exe
C:\Windows\system32\oehlsgjb.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:328

C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe
kmyrfcpfeqnaris.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068

C:\Windows\SysWOW64\oehlsgjb.exe
oehlsgjb.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:868

C:\Windows\SysWOW64\zuegorhzroeej.exe
zuegorhzroeej.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1348

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
71362953fc405f84c97a3dcaf10ad61a

SHA1
ecd4a26ac6e064a3bfa6e953094e8b907c677d6c

SHA256
eb01746e5c1e94cd203f839cb7b12afde2393c3fb1bc5fded2f63c7d6fcf7206

SHA512
298496e4b555716e6bcf5d01df9d2146919d13ba86c6d59cbccc6e8f66df06f07ec2f8de1b17b71668aee3f7acae3a46a2ad7d507efe45b57a6f445799148f4d

Download Submit
C:\Users\Admin\AppData\Roaming\UnlockCompare.doc.exe

Filesize
255KB

MD5
320f02ee328dbd631ade5b72d77989b9

SHA1
ac5ccc8a456ed7c5187d451f4b58cce4ae47ae2a

SHA256
006b72cdb03f3eacae79fb523427266d9498c114d63f42bf8be2a9935333e337

SHA512
4304ce6d217040cfe55ab962331f40bff23c3547534ee994fc6fa73f42d8580addef7488d254f8058110574e176b45dc2e7caffb868309bd589a7c592f842ccc

Download Submit
C:\Users\Admin\Desktop\WatchClose.doc.exe

Filesize
255KB

MD5
b3bbbbb85919d7f12ee81671b4ca021b

SHA1
a27e64068b312ea2b73f96802146ecb37e64231e

SHA256
4dbc004226edf6bd73df1afd702955b66a16a716752ef862672e2fa1c0a09175

SHA512
9978756a389e026e1d07c9f30c284c03ff26c0a5ea9939aeceed5c26cd8a2de6e4bc9bb699fa05039f629fa35a4015a6cfb5d039158637d8eb919c26d77eb832

Download Submit
C:\Windows\SysWOW64\gwyejoqlvb.exe

Filesize
255KB

MD5
264cd67f9b091450d0c02a30138d040b

SHA1
ea710ca17c7c65e334e7192a31e660efd2b94f55

SHA256
d9a64d4974a9ff0011b572cc293d507d746c4a64fe15fa0e9e20f7133e790aac

SHA512
38f969f43a1640c4b1310723f5e9f147d40cd195d9ad984cce40de398d8b606569b51a556edbba84403720ffd14ddb95deee7503c84aea06d8ce34ec13b2f981

Download Submit
C:\Windows\SysWOW64\gwyejoqlvb.exe

Filesize
255KB

MD5
264cd67f9b091450d0c02a30138d040b

SHA1
ea710ca17c7c65e334e7192a31e660efd2b94f55

SHA256
d9a64d4974a9ff0011b572cc293d507d746c4a64fe15fa0e9e20f7133e790aac

SHA512
38f969f43a1640c4b1310723f5e9f147d40cd195d9ad984cce40de398d8b606569b51a556edbba84403720ffd14ddb95deee7503c84aea06d8ce34ec13b2f981

Download Submit
C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe

Filesize
255KB

MD5
34365157a38678052c73fe9e81aa035a

SHA1
493bf59f033f100b1c9c4b0561dd4e1d130d447a

SHA256
6b20a0e531a8ac290c0f1dc8f4be5208e15d2f4ec446a1918147494a6bf0e311

SHA512
589fddc45eba9df90245df52724d709dab6ac200b970d5674772c65c5c1776b8a899b61663f6d3c1edf4c0e20835c112d4429b7f04e089bc7824181bd9a1864c

Download Submit
C:\Windows\SysWOW64\kmyrfcpfeqnaris.exe

Filesize
255KB

MD5
34365157a38678052c73fe9e81aa035a

SHA1
493bf59f033f100b1c9c4b0561dd4e1d130d447a

SHA256
6b20a0e531a8ac290c0f1dc8f4be5208e15d2f4ec446a1918147494a6bf0e311

SHA512
589fddc45eba9df90245df52724d709dab6ac200b970d5674772c65c5c1776b8a899b61663f6d3c1edf4c0e20835c112d4429b7f04e089bc7824181bd9a1864c

Download Submit
C:\Windows\SysWOW64\oehlsgjb.exe

Filesize
255KB

MD5
29ab89459b034fe2005972204dfe2217

SHA1
5e3ecca259ef350e43d17201fd2e99b21517cce7

SHA256
692eb43516e5a79d257dca6b883f068ca712f55471caf2185b5d7b89db93ee16

SHA512
8bc89a2c9a405c5042f8feb10638f75d00d4a6bbcd7dd8c9fe656a5e37cbad4ba0b10d8dcb84a45a3fe0d9e94266aa58e3cd55963362531a5098d1f2054ff191

Download Submit
C:\Windows\SysWOW64\oehlsgjb.exe

Filesize
255KB

MD5
29ab89459b034fe2005972204dfe2217

SHA1
5e3ecca259ef350e43d17201fd2e99b21517cce7

SHA256
692eb43516e5a79d257dca6b883f068ca712f55471caf2185b5d7b89db93ee16

SHA512
8bc89a2c9a405c5042f8feb10638f75d00d4a6bbcd7dd8c9fe656a5e37cbad4ba0b10d8dcb84a45a3fe0d9e94266aa58e3cd55963362531a5098d1f2054ff191

Download Submit
C:\Windows\SysWOW64\oehlsgjb.exe

Filesize
255KB

MD5
29ab89459b034fe2005972204dfe2217

SHA1
5e3ecca259ef350e43d17201fd2e99b21517cce7

SHA256
692eb43516e5a79d257dca6b883f068ca712f55471caf2185b5d7b89db93ee16

SHA512
8bc89a2c9a405c5042f8feb10638f75d00d4a6bbcd7dd8c9fe656a5e37cbad4ba0b10d8dcb84a45a3fe0d9e94266aa58e3cd55963362531a5098d1f2054ff191

Download Submit
C:\Windows\SysWOW64\zuegorhzroeej.exe

Filesize
255KB

MD5
41b073c1b914ec427094ae02165625ca

SHA1
ac3bf0aa24c6573aa26ce8ebebff492d4550212d

SHA256
59aeeb8a3a74e539daa92e9c72498136240f3cf950d91758702e70bc5d1d10ff

SHA512
8d96d10b20744573b4d1b028a89e1bc8b93ea7aee98b376d4e1debc79c0a2c6c1d54982c41bc95bd8e1d0d0482a356bc4feedd512652ba012cd929ac67c4055a

Download Submit
C:\Windows\SysWOW64\zuegorhzroeej.exe

Filesize
255KB

MD5
41b073c1b914ec427094ae02165625ca

SHA1
ac3bf0aa24c6573aa26ce8ebebff492d4550212d

SHA256
59aeeb8a3a74e539daa92e9c72498136240f3cf950d91758702e70bc5d1d10ff

SHA512
8d96d10b20744573b4d1b028a89e1bc8b93ea7aee98b376d4e1debc79c0a2c6c1d54982c41bc95bd8e1d0d0482a356bc4feedd512652ba012cd929ac67c4055a

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gwyejoqlvb.exe

Filesize
255KB

MD5
264cd67f9b091450d0c02a30138d040b

SHA1
ea710ca17c7c65e334e7192a31e660efd2b94f55

SHA256
d9a64d4974a9ff0011b572cc293d507d746c4a64fe15fa0e9e20f7133e790aac

SHA512
38f969f43a1640c4b1310723f5e9f147d40cd195d9ad984cce40de398d8b606569b51a556edbba84403720ffd14ddb95deee7503c84aea06d8ce34ec13b2f981

Download Submit
\Windows\SysWOW64\kmyrfcpfeqnaris.exe

Filesize
255KB

MD5
34365157a38678052c73fe9e81aa035a

SHA1
493bf59f033f100b1c9c4b0561dd4e1d130d447a

SHA256
6b20a0e531a8ac290c0f1dc8f4be5208e15d2f4ec446a1918147494a6bf0e311

SHA512
589fddc45eba9df90245df52724d709dab6ac200b970d5674772c65c5c1776b8a899b61663f6d3c1edf4c0e20835c112d4429b7f04e089bc7824181bd9a1864c

Download Submit
\Windows\SysWOW64\oehlsgjb.exe

Filesize
255KB

MD5
29ab89459b034fe2005972204dfe2217

SHA1
5e3ecca259ef350e43d17201fd2e99b21517cce7

SHA256
692eb43516e5a79d257dca6b883f068ca712f55471caf2185b5d7b89db93ee16

SHA512
8bc89a2c9a405c5042f8feb10638f75d00d4a6bbcd7dd8c9fe656a5e37cbad4ba0b10d8dcb84a45a3fe0d9e94266aa58e3cd55963362531a5098d1f2054ff191

Download Submit
\Windows\SysWOW64\oehlsgjb.exe

Filesize
255KB

MD5
29ab89459b034fe2005972204dfe2217

SHA1
5e3ecca259ef350e43d17201fd2e99b21517cce7

SHA256
692eb43516e5a79d257dca6b883f068ca712f55471caf2185b5d7b89db93ee16

SHA512
8bc89a2c9a405c5042f8feb10638f75d00d4a6bbcd7dd8c9fe656a5e37cbad4ba0b10d8dcb84a45a3fe0d9e94266aa58e3cd55963362531a5098d1f2054ff191

Download Submit
\Windows\SysWOW64\zuegorhzroeej.exe

Filesize
255KB

MD5
41b073c1b914ec427094ae02165625ca

SHA1
ac3bf0aa24c6573aa26ce8ebebff492d4550212d

SHA256
59aeeb8a3a74e539daa92e9c72498136240f3cf950d91758702e70bc5d1d10ff

SHA512
8d96d10b20744573b4d1b028a89e1bc8b93ea7aee98b376d4e1debc79c0a2c6c1d54982c41bc95bd8e1d0d0482a356bc4feedd512652ba012cd929ac67c4055a

Download Submit
memory/328-80-0x0000000000000000-mapping.dmp

Download
memory/328-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/328-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/584-88-0x0000000070041000-0x0000000070043000-memory.dmp

Filesize
8KB

Download
memory/584-92-0x000000007102D000-0x0000000071038000-memory.dmp

Filesize
44KB

Download
memory/584-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/584-98-0x000000007102D000-0x0000000071038000-memory.dmp

Filesize
44KB

Download
memory/584-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/584-85-0x0000000000000000-mapping.dmp

Download
memory/584-87-0x00000000725C1000-0x00000000725C4000-memory.dmp

Filesize
12KB

Download
memory/584-105-0x000000007102D000-0x0000000071038000-memory.dmp

Filesize
44KB

Download
memory/868-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/868-65-0x0000000000000000-mapping.dmp

Download
memory/1068-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1068-72-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1068-61-0x0000000000000000-mapping.dmp

Download
memory/1316-57-0x0000000000000000-mapping.dmp

Download
memory/1316-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1316-70-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1348-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1348-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1348-68-0x0000000000000000-mapping.dmp

Download
memory/1728-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1728-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1728-71-0x0000000003310000-0x00000000033B0000-memory.dmp

Filesize
640KB

Download
memory/1728-54-0x0000000076301000-0x0000000076303000-memory.dmp

Filesize
8KB

Download
memory/1980-100-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

Filesize
8KB

Download
memory/1980-99-0x0000000000000000-mapping.dmp

Download