103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82

Analysis

max time kernel
153s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
Size

255KB
MD5

98517f9c412d1e224b62ac7f779feda5
SHA1

3b2cfdc9ba2177b640894f73c0d2709ca0969508
SHA256

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82
SHA512

9edb988ce7dfb8bf36f521bd437aa45f97e2077fcd053eb175080a90b3e2056e1a24cdeca468c2e25d2e57cbbfbc9e1fdde6510fc94c4998826c05732439ee82
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJa:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIJ

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

gbvzdzofjz.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	gbvzdzofjz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

gbvzdzofjz.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gbvzdzofjz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

gbvzdzofjz.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gbvzdzofjz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

gbvzdzofjz.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gbvzdzofjz.exe

Executes dropped EXE 6 IoCs

Processes:

gbvzdzofjz.exeqaatwmybwhohhon.exehqytblkq.exeytfbzpjejvmfq.exeytfbzpjejvmfq.exehqytblkq.exe

pid process

892 gbvzdzofjz.exe
1188 qaatwmybwhohhon.exe
1324 hqytblkq.exe
1304 ytfbzpjejvmfq.exe
1096 ytfbzpjejvmfq.exe
1552 hqytblkq.exe

pid	process
892	gbvzdzofjz.exe
1188	qaatwmybwhohhon.exe
1324	hqytblkq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1552	hqytblkq.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1992-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\gbvzdzofjz.exe	upx
C:\Windows\SysWOW64\gbvzdzofjz.exe	upx
C:\Windows\SysWOW64\gbvzdzofjz.exe	upx
\Windows\SysWOW64\qaatwmybwhohhon.exe	upx
C:\Windows\SysWOW64\qaatwmybwhohhon.exe	upx
C:\Windows\SysWOW64\qaatwmybwhohhon.exe	upx
\Windows\SysWOW64\hqytblkq.exe	upx
C:\Windows\SysWOW64\hqytblkq.exe	upx
C:\Windows\SysWOW64\hqytblkq.exe	upx
C:\Windows\SysWOW64\ytfbzpjejvmfq.exe	upx
\Windows\SysWOW64\ytfbzpjejvmfq.exe	upx
\Windows\SysWOW64\ytfbzpjejvmfq.exe	upx
C:\Windows\SysWOW64\ytfbzpjejvmfq.exe	upx
C:\Windows\SysWOW64\ytfbzpjejvmfq.exe	upx
behavioral1/memory/892-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1188-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1324-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\hqytblkq.exe	upx
behavioral1/memory/1304-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\hqytblkq.exe	upx
behavioral1/memory/1096-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1992-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1096-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/892-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1188-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1324-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1304-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx

Loads dropped DLL 6 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.execmd.exegbvzdzofjz.exe

pid	process
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1500	cmd.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
892	gbvzdzofjz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

gbvzdzofjz.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gbvzdzofjz.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qaatwmybwhohhon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jbexnrxl = "qaatwmybwhohhon.exe"	qaatwmybwhohhon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ytfbzpjejvmfq.exe"	qaatwmybwhohhon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	qaatwmybwhohhon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ksoeknyb = "gbvzdzofjz.exe"	qaatwmybwhohhon.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

gbvzdzofjz.exehqytblkq.exehqytblkq.exe

description	ioc	process
File opened (read-only)	\??\s:	gbvzdzofjz.exe
File opened (read-only)	\??\n:	hqytblkq.exe
File opened (read-only)	\??\g:	gbvzdzofjz.exe
File opened (read-only)	\??\m:	gbvzdzofjz.exe
File opened (read-only)	\??\g:	hqytblkq.exe
File opened (read-only)	\??\w:	hqytblkq.exe
File opened (read-only)	\??\o:	hqytblkq.exe
File opened (read-only)	\??\z:	hqytblkq.exe
File opened (read-only)	\??\e:	gbvzdzofjz.exe
File opened (read-only)	\??\j:	hqytblkq.exe
File opened (read-only)	\??\z:	gbvzdzofjz.exe
File opened (read-only)	\??\g:	hqytblkq.exe
File opened (read-only)	\??\r:	hqytblkq.exe
File opened (read-only)	\??\f:	hqytblkq.exe
File opened (read-only)	\??\j:	gbvzdzofjz.exe
File opened (read-only)	\??\t:	hqytblkq.exe
File opened (read-only)	\??\u:	hqytblkq.exe
File opened (read-only)	\??\n:	gbvzdzofjz.exe
File opened (read-only)	\??\q:	gbvzdzofjz.exe
File opened (read-only)	\??\w:	gbvzdzofjz.exe
File opened (read-only)	\??\a:	hqytblkq.exe
File opened (read-only)	\??\o:	hqytblkq.exe
File opened (read-only)	\??\u:	gbvzdzofjz.exe
File opened (read-only)	\??\b:	hqytblkq.exe
File opened (read-only)	\??\b:	gbvzdzofjz.exe
File opened (read-only)	\??\m:	hqytblkq.exe
File opened (read-only)	\??\z:	hqytblkq.exe
File opened (read-only)	\??\e:	hqytblkq.exe
File opened (read-only)	\??\h:	hqytblkq.exe
File opened (read-only)	\??\f:	hqytblkq.exe
File opened (read-only)	\??\i:	hqytblkq.exe
File opened (read-only)	\??\s:	hqytblkq.exe
File opened (read-only)	\??\u:	hqytblkq.exe
File opened (read-only)	\??\l:	gbvzdzofjz.exe
File opened (read-only)	\??\r:	gbvzdzofjz.exe
File opened (read-only)	\??\o:	gbvzdzofjz.exe
File opened (read-only)	\??\v:	gbvzdzofjz.exe
File opened (read-only)	\??\a:	hqytblkq.exe
File opened (read-only)	\??\k:	hqytblkq.exe
File opened (read-only)	\??\l:	hqytblkq.exe
File opened (read-only)	\??\v:	hqytblkq.exe
File opened (read-only)	\??\n:	hqytblkq.exe
File opened (read-only)	\??\i:	gbvzdzofjz.exe
File opened (read-only)	\??\x:	hqytblkq.exe
File opened (read-only)	\??\p:	gbvzdzofjz.exe
File opened (read-only)	\??\y:	gbvzdzofjz.exe
File opened (read-only)	\??\q:	hqytblkq.exe
File opened (read-only)	\??\x:	hqytblkq.exe
File opened (read-only)	\??\q:	hqytblkq.exe
File opened (read-only)	\??\v:	hqytblkq.exe
File opened (read-only)	\??\f:	gbvzdzofjz.exe
File opened (read-only)	\??\y:	hqytblkq.exe
File opened (read-only)	\??\y:	hqytblkq.exe
File opened (read-only)	\??\k:	gbvzdzofjz.exe
File opened (read-only)	\??\p:	hqytblkq.exe
File opened (read-only)	\??\j:	hqytblkq.exe
File opened (read-only)	\??\l:	hqytblkq.exe
File opened (read-only)	\??\r:	hqytblkq.exe
File opened (read-only)	\??\a:	gbvzdzofjz.exe
File opened (read-only)	\??\m:	hqytblkq.exe
File opened (read-only)	\??\k:	hqytblkq.exe
File opened (read-only)	\??\p:	hqytblkq.exe
File opened (read-only)	\??\t:	gbvzdzofjz.exe
File opened (read-only)	\??\x:	gbvzdzofjz.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

gbvzdzofjz.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	gbvzdzofjz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	gbvzdzofjz.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/892-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1188-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1324-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1304-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1096-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1992-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1096-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/892-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1188-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1324-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1304-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exegbvzdzofjz.exe

description	ioc	process
File created	C:\Windows\SysWOW64\gbvzdzofjz.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File opened for modification	C:\Windows\SysWOW64\gbvzdzofjz.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File opened for modification	C:\Windows\SysWOW64\qaatwmybwhohhon.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	gbvzdzofjz.exe
File created	C:\Windows\SysWOW64\qaatwmybwhohhon.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File created	C:\Windows\SysWOW64\hqytblkq.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File opened for modification	C:\Windows\SysWOW64\hqytblkq.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File created	C:\Windows\SysWOW64\ytfbzpjejvmfq.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File opened for modification	C:\Windows\SysWOW64\ytfbzpjejvmfq.exe	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe

Drops file in Program Files directory 15 IoCs

Processes:

hqytblkq.exehqytblkq.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hqytblkq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hqytblkq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hqytblkq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hqytblkq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hqytblkq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hqytblkq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hqytblkq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hqytblkq.exe

Drops file in Windows directory 5 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEgbvzdzofjz.exe103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	gbvzdzofjz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	gbvzdzofjz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	gbvzdzofjz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FC83482685139032D65C7DE6BD93E141584167336341D6EC"	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78368B6FE6B21DDD27BD0A08B099113"	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	gbvzdzofjz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	gbvzdzofjz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1372 WINWORD.EXE

pid	process
1372	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exeqaatwmybwhohhon.exegbvzdzofjz.exehqytblkq.exeytfbzpjejvmfq.exeytfbzpjejvmfq.exehqytblkq.exe

pid	process
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1188	qaatwmybwhohhon.exe
1552	hqytblkq.exe
1552	hqytblkq.exe
1552	hqytblkq.exe
1552	hqytblkq.exe
1188	qaatwmybwhohhon.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1188	qaatwmybwhohhon.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1188	qaatwmybwhohhon.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1188	qaatwmybwhohhon.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1188	qaatwmybwhohhon.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exegbvzdzofjz.exeqaatwmybwhohhon.exehqytblkq.exeytfbzpjejvmfq.exeytfbzpjejvmfq.exehqytblkq.exe

pid	process
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1552	hqytblkq.exe
1552	hqytblkq.exe
1552	hqytblkq.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exegbvzdzofjz.exeqaatwmybwhohhon.exehqytblkq.exeytfbzpjejvmfq.exeytfbzpjejvmfq.exehqytblkq.exe

pid	process
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
892	gbvzdzofjz.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1188	qaatwmybwhohhon.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1324	hqytblkq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1304	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1096	ytfbzpjejvmfq.exe
1552	hqytblkq.exe
1552	hqytblkq.exe
1552	hqytblkq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1372 WINWORD.EXE
1372 WINWORD.EXE

pid	process
1372	WINWORD.EXE
1372	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exeqaatwmybwhohhon.execmd.exegbvzdzofjz.exeWINWORD.EXE

description	pid	process	target process
PID 1992 wrote to memory of 892	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	gbvzdzofjz.exe
PID 1992 wrote to memory of 892	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	gbvzdzofjz.exe
PID 1992 wrote to memory of 892	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	gbvzdzofjz.exe
PID 1992 wrote to memory of 892	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	gbvzdzofjz.exe
PID 1992 wrote to memory of 1188	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	qaatwmybwhohhon.exe
PID 1992 wrote to memory of 1188	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	qaatwmybwhohhon.exe
PID 1992 wrote to memory of 1188	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	qaatwmybwhohhon.exe
PID 1992 wrote to memory of 1188	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	qaatwmybwhohhon.exe
PID 1992 wrote to memory of 1324	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	hqytblkq.exe
PID 1992 wrote to memory of 1324	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	hqytblkq.exe
PID 1992 wrote to memory of 1324	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	hqytblkq.exe
PID 1992 wrote to memory of 1324	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	hqytblkq.exe
PID 1188 wrote to memory of 1500	1188	qaatwmybwhohhon.exe	cmd.exe
PID 1188 wrote to memory of 1500	1188	qaatwmybwhohhon.exe	cmd.exe
PID 1188 wrote to memory of 1500	1188	qaatwmybwhohhon.exe	cmd.exe
PID 1188 wrote to memory of 1500	1188	qaatwmybwhohhon.exe	cmd.exe
PID 1500 wrote to memory of 1304	1500	cmd.exe	ytfbzpjejvmfq.exe
PID 1500 wrote to memory of 1304	1500	cmd.exe	ytfbzpjejvmfq.exe
PID 1500 wrote to memory of 1304	1500	cmd.exe	ytfbzpjejvmfq.exe
PID 1500 wrote to memory of 1304	1500	cmd.exe	ytfbzpjejvmfq.exe
PID 1992 wrote to memory of 1096	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	ytfbzpjejvmfq.exe
PID 1992 wrote to memory of 1096	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	ytfbzpjejvmfq.exe
PID 1992 wrote to memory of 1096	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	ytfbzpjejvmfq.exe
PID 1992 wrote to memory of 1096	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	ytfbzpjejvmfq.exe
PID 892 wrote to memory of 1552	892	gbvzdzofjz.exe	hqytblkq.exe
PID 892 wrote to memory of 1552	892	gbvzdzofjz.exe	hqytblkq.exe
PID 892 wrote to memory of 1552	892	gbvzdzofjz.exe	hqytblkq.exe
PID 892 wrote to memory of 1552	892	gbvzdzofjz.exe	hqytblkq.exe
PID 1992 wrote to memory of 1372	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	WINWORD.EXE
PID 1992 wrote to memory of 1372	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	WINWORD.EXE
PID 1992 wrote to memory of 1372	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	WINWORD.EXE
PID 1992 wrote to memory of 1372	1992	103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe	WINWORD.EXE
PID 1372 wrote to memory of 2000	1372	WINWORD.EXE	splwow64.exe
PID 1372 wrote to memory of 2000	1372	WINWORD.EXE	splwow64.exe
PID 1372 wrote to memory of 2000	1372	WINWORD.EXE	splwow64.exe
PID 1372 wrote to memory of 2000	1372	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe
"C:\Users\Admin\AppData\Local\Temp\103f90b217ded80990f9967fe59fd0c09ec0f631f76e1476142248baf5c21a82.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\gbvzdzofjz.exe
  gbvzdzofjz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\hqytblkq.exe
    C:\Windows\system32\hqytblkq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1552
- C:\Windows\SysWOW64\qaatwmybwhohhon.exe
  qaatwmybwhohhon.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ytfbzpjejvmfq.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\ytfbzpjejvmfq.exe
      ytfbzpjejvmfq.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1304
- C:\Windows\SysWOW64\hqytblkq.exe
  hqytblkq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1324
- C:\Windows\SysWOW64\ytfbzpjejvmfq.exe
  ytfbzpjejvmfq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1096
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
1f180194bceea198a95284683a624d86

SHA1
4176406f857ede615a634132d75541bd5362d37a

SHA256
8483d421d8771ea8de463454235cf146ad77c116f851f7302331617392584db4

SHA512
e37a93008dacb054a86392721a04e8970dba4dc77e6209a6ae6a5abf7a9cff63b1192eb2b5eb10244872e7938357bd89f6a6692dc8ddb6f731a5c30f167b8c5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
1f180194bceea198a95284683a624d86

SHA1
4176406f857ede615a634132d75541bd5362d37a

SHA256
8483d421d8771ea8de463454235cf146ad77c116f851f7302331617392584db4

SHA512
e37a93008dacb054a86392721a04e8970dba4dc77e6209a6ae6a5abf7a9cff63b1192eb2b5eb10244872e7938357bd89f6a6692dc8ddb6f731a5c30f167b8c5e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
ef0abf22aa1bfdafdf40426139a1f45e

SHA1
ed2914da093041b61e6e764aa671cf1f4f147988

SHA256
9181cf0536722ababe1096fbdf7d965deef0f56ac79d506970b6eab668d986a3

SHA512
6f4c6e338a7419806e7d3874f1708ca97b4e96d3e25d75c18734b7d23b1bcba852b237564e98d870fd395768f949806d2dc8d3fb5fedbec7d18c102b63ffa99e

Download Submit
C:\Windows\SysWOW64\gbvzdzofjz.exe

Filesize
255KB

MD5
778fd2667716e66d781f2c018b49c9ce

SHA1
f3a90d4aed422c156baf860e362456a46d8f3d66

SHA256
7434a565834ad06a446066f5fbaa8d7074fe6f207f9715fde8d3252bd783aa80

SHA512
9517e2a60a62ffc4b31a21ee5d4621e9b3a9156b7871ec59b7008f8e5a7bf3862ccb7231c962777b56bc7af24230d6d5ba672d5df5f7b1f2a4235a180e0b71ba

Download Submit
C:\Windows\SysWOW64\gbvzdzofjz.exe

Filesize
255KB

MD5
778fd2667716e66d781f2c018b49c9ce

SHA1
f3a90d4aed422c156baf860e362456a46d8f3d66

SHA256
7434a565834ad06a446066f5fbaa8d7074fe6f207f9715fde8d3252bd783aa80

SHA512
9517e2a60a62ffc4b31a21ee5d4621e9b3a9156b7871ec59b7008f8e5a7bf3862ccb7231c962777b56bc7af24230d6d5ba672d5df5f7b1f2a4235a180e0b71ba

Download Submit
C:\Windows\SysWOW64\hqytblkq.exe

Filesize
255KB

MD5
68f11867e833c200de90bf20451e8f2d

SHA1
0bfb797bec006981f330bf20ccdf43082a0c7f92

SHA256
bfe7429cde86d6c966f4e317614cebf2851290fe1757695ce57b0f43f7f81c3b

SHA512
dafa78b22fca1c2ce93d9a7d2e134f742091abc781224e487ae012fd62206c38105a2178c4b757f5fd3f939528e1a7c971d3f122f5bf80a13b5d03e20c17dc37

Download Submit
C:\Windows\SysWOW64\hqytblkq.exe

Filesize
255KB

MD5
68f11867e833c200de90bf20451e8f2d

SHA1
0bfb797bec006981f330bf20ccdf43082a0c7f92

SHA256
bfe7429cde86d6c966f4e317614cebf2851290fe1757695ce57b0f43f7f81c3b

SHA512
dafa78b22fca1c2ce93d9a7d2e134f742091abc781224e487ae012fd62206c38105a2178c4b757f5fd3f939528e1a7c971d3f122f5bf80a13b5d03e20c17dc37

Download Submit
C:\Windows\SysWOW64\hqytblkq.exe

Filesize
255KB

MD5
68f11867e833c200de90bf20451e8f2d

SHA1
0bfb797bec006981f330bf20ccdf43082a0c7f92

SHA256
bfe7429cde86d6c966f4e317614cebf2851290fe1757695ce57b0f43f7f81c3b

SHA512
dafa78b22fca1c2ce93d9a7d2e134f742091abc781224e487ae012fd62206c38105a2178c4b757f5fd3f939528e1a7c971d3f122f5bf80a13b5d03e20c17dc37

Download Submit
C:\Windows\SysWOW64\qaatwmybwhohhon.exe

Filesize
255KB

MD5
8844afaa53205a3af8b5bd70c1d1c503

SHA1
319b8ce49be46f78941ab63229327f46739b9b09

SHA256
9e900ff0df70d2a01ba5dccaf6fd1e0921544cf9567d6c7afb9913a8aa7f4bb9

SHA512
9412a4688606cee72d06924b487c3db6444cdd48595274083a40174edb413210914c6acec844e3e00c8a738634d0ff297fe921fba71eed88387acc487b03065e

Download Submit
C:\Windows\SysWOW64\qaatwmybwhohhon.exe

Filesize
255KB

MD5
8844afaa53205a3af8b5bd70c1d1c503

SHA1
319b8ce49be46f78941ab63229327f46739b9b09

SHA256
9e900ff0df70d2a01ba5dccaf6fd1e0921544cf9567d6c7afb9913a8aa7f4bb9

SHA512
9412a4688606cee72d06924b487c3db6444cdd48595274083a40174edb413210914c6acec844e3e00c8a738634d0ff297fe921fba71eed88387acc487b03065e

Download Submit
C:\Windows\SysWOW64\ytfbzpjejvmfq.exe

Filesize
255KB

MD5
95aef3d7f2550fa333bf890192d92072

SHA1
b9eca93585bd29cbad9773eeb300e3c570b58df8

SHA256
1358b122a551f26c40c823e5658ad5a61e07160e193b5eeb16b2a58649b4a50e

SHA512
fed4479c6679dcde1fb9fa8a5515a0ed37521d991f8f4b1fb69de39c0f1f9b45ea89e90faeb689c857416a05166bbc85e4dfc2bf71c230f49a3f7bc868b24883

Download Submit
C:\Windows\SysWOW64\ytfbzpjejvmfq.exe

Filesize
255KB

MD5
95aef3d7f2550fa333bf890192d92072

SHA1
b9eca93585bd29cbad9773eeb300e3c570b58df8

SHA256
1358b122a551f26c40c823e5658ad5a61e07160e193b5eeb16b2a58649b4a50e

SHA512
fed4479c6679dcde1fb9fa8a5515a0ed37521d991f8f4b1fb69de39c0f1f9b45ea89e90faeb689c857416a05166bbc85e4dfc2bf71c230f49a3f7bc868b24883

Download Submit
C:\Windows\SysWOW64\ytfbzpjejvmfq.exe

Filesize
255KB

MD5
95aef3d7f2550fa333bf890192d92072

SHA1
b9eca93585bd29cbad9773eeb300e3c570b58df8

SHA256
1358b122a551f26c40c823e5658ad5a61e07160e193b5eeb16b2a58649b4a50e

SHA512
fed4479c6679dcde1fb9fa8a5515a0ed37521d991f8f4b1fb69de39c0f1f9b45ea89e90faeb689c857416a05166bbc85e4dfc2bf71c230f49a3f7bc868b24883

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gbvzdzofjz.exe

Filesize
255KB

MD5
778fd2667716e66d781f2c018b49c9ce

SHA1
f3a90d4aed422c156baf860e362456a46d8f3d66

SHA256
7434a565834ad06a446066f5fbaa8d7074fe6f207f9715fde8d3252bd783aa80

SHA512
9517e2a60a62ffc4b31a21ee5d4621e9b3a9156b7871ec59b7008f8e5a7bf3862ccb7231c962777b56bc7af24230d6d5ba672d5df5f7b1f2a4235a180e0b71ba

Download Submit
\Windows\SysWOW64\hqytblkq.exe

Filesize
255KB

MD5
68f11867e833c200de90bf20451e8f2d

SHA1
0bfb797bec006981f330bf20ccdf43082a0c7f92

SHA256
bfe7429cde86d6c966f4e317614cebf2851290fe1757695ce57b0f43f7f81c3b

SHA512
dafa78b22fca1c2ce93d9a7d2e134f742091abc781224e487ae012fd62206c38105a2178c4b757f5fd3f939528e1a7c971d3f122f5bf80a13b5d03e20c17dc37

Download Submit
\Windows\SysWOW64\hqytblkq.exe

Filesize
255KB

MD5
68f11867e833c200de90bf20451e8f2d

SHA1
0bfb797bec006981f330bf20ccdf43082a0c7f92

SHA256
bfe7429cde86d6c966f4e317614cebf2851290fe1757695ce57b0f43f7f81c3b

SHA512
dafa78b22fca1c2ce93d9a7d2e134f742091abc781224e487ae012fd62206c38105a2178c4b757f5fd3f939528e1a7c971d3f122f5bf80a13b5d03e20c17dc37

Download Submit
\Windows\SysWOW64\qaatwmybwhohhon.exe

Filesize
255KB

MD5
8844afaa53205a3af8b5bd70c1d1c503

SHA1
319b8ce49be46f78941ab63229327f46739b9b09

SHA256
9e900ff0df70d2a01ba5dccaf6fd1e0921544cf9567d6c7afb9913a8aa7f4bb9

SHA512
9412a4688606cee72d06924b487c3db6444cdd48595274083a40174edb413210914c6acec844e3e00c8a738634d0ff297fe921fba71eed88387acc487b03065e

Download Submit
\Windows\SysWOW64\ytfbzpjejvmfq.exe

Filesize
255KB

MD5
95aef3d7f2550fa333bf890192d92072

SHA1
b9eca93585bd29cbad9773eeb300e3c570b58df8

SHA256
1358b122a551f26c40c823e5658ad5a61e07160e193b5eeb16b2a58649b4a50e

SHA512
fed4479c6679dcde1fb9fa8a5515a0ed37521d991f8f4b1fb69de39c0f1f9b45ea89e90faeb689c857416a05166bbc85e4dfc2bf71c230f49a3f7bc868b24883

Download Submit
\Windows\SysWOW64\ytfbzpjejvmfq.exe

Filesize
255KB

MD5
95aef3d7f2550fa333bf890192d92072

SHA1
b9eca93585bd29cbad9773eeb300e3c570b58df8

SHA256
1358b122a551f26c40c823e5658ad5a61e07160e193b5eeb16b2a58649b4a50e

SHA512
fed4479c6679dcde1fb9fa8a5515a0ed37521d991f8f4b1fb69de39c0f1f9b45ea89e90faeb689c857416a05166bbc85e4dfc2bf71c230f49a3f7bc868b24883

Download Submit
memory/892-57-0x0000000000000000-mapping.dmp

Download
memory/892-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/892-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1096-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1096-76-0x0000000000000000-mapping.dmp

Download
memory/1096-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1188-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1188-62-0x0000000000000000-mapping.dmp

Download
memory/1188-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1304-75-0x0000000000000000-mapping.dmp

Download
memory/1304-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1304-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1324-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1324-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1324-67-0x0000000000000000-mapping.dmp

Download
memory/1372-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1372-95-0x00000000704A1000-0x00000000704A3000-memory.dmp

Filesize
8KB

Download
memory/1372-97-0x000000007148D000-0x0000000071498000-memory.dmp

Filesize
44KB

Download
memory/1372-94-0x0000000072A21000-0x0000000072A24000-memory.dmp

Filesize
12KB

Download
memory/1372-113-0x000000007148D000-0x0000000071498000-memory.dmp

Filesize
44KB

Download
memory/1372-92-0x0000000000000000-mapping.dmp

Download
memory/1372-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1372-106-0x000000007148D000-0x0000000071498000-memory.dmp

Filesize
44KB

Download
memory/1500-70-0x0000000000000000-mapping.dmp

Download
memory/1552-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1552-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1552-87-0x0000000000000000-mapping.dmp

Download
memory/1992-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1992-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1992-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1992-82-0x0000000002F00000-0x0000000002FA0000-memory.dmp

Filesize
640KB

Download
memory/2000-110-0x0000000000000000-mapping.dmp

Download
memory/2000-111-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

Filesize
8KB

Download