6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43

Analysis

max time kernel
154s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
Size

255KB
MD5

cb1544825f6079d6905dca0feb41ed07
SHA1

25f840f9e039d2d2818fc9832bc897b465c48537
SHA256

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43
SHA512

2ba6cd94647ca8ae06ae5ead4429ebbd23b989def0941bd70701f09ea560ba5cbd8cd8fcaca371c455602474a091732f64526b24f4791d1f7c88bc1116164fb7
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJf:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIm

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

apypaebubt.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	apypaebubt.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

apypaebubt.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	apypaebubt.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

apypaebubt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	apypaebubt.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

apypaebubt.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	apypaebubt.exe

Executes dropped EXE 5 IoCs

Processes:

apypaebubt.exesjviqtrolouhplt.execlopsaqu.exeamxtayxnsivpe.execlopsaqu.exe

pid process

1156 apypaebubt.exe
872 sjviqtrolouhplt.exe
776 clopsaqu.exe
1556 amxtayxnsivpe.exe
360 clopsaqu.exe

pid	process
1156	apypaebubt.exe
872	sjviqtrolouhplt.exe
776	clopsaqu.exe
1556	amxtayxnsivpe.exe
360	clopsaqu.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/848-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\apypaebubt.exe	upx
C:\Windows\SysWOW64\apypaebubt.exe	upx
\Windows\SysWOW64\sjviqtrolouhplt.exe	upx
C:\Windows\SysWOW64\sjviqtrolouhplt.exe	upx
C:\Windows\SysWOW64\apypaebubt.exe	upx
\Windows\SysWOW64\clopsaqu.exe	upx
C:\Windows\SysWOW64\sjviqtrolouhplt.exe	upx
C:\Windows\SysWOW64\clopsaqu.exe	upx
\Windows\SysWOW64\amxtayxnsivpe.exe	upx
C:\Windows\SysWOW64\clopsaqu.exe	upx
C:\Windows\SysWOW64\amxtayxnsivpe.exe	upx
behavioral1/memory/1156-75-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/872-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/776-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1556-79-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\clopsaqu.exe	upx
C:\Windows\SysWOW64\clopsaqu.exe	upx
behavioral1/memory/360-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/848-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1156-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/872-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/776-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/360-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx

Loads dropped DLL 5 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exe

pid	process
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
1156	apypaebubt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

apypaebubt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	apypaebubt.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sjviqtrolouhplt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "amxtayxnsivpe.exe"	sjviqtrolouhplt.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	sjviqtrolouhplt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gfeqbefs = "apypaebubt.exe"	sjviqtrolouhplt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsbyfowk = "sjviqtrolouhplt.exe"	sjviqtrolouhplt.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

clopsaqu.execlopsaqu.exeapypaebubt.exe

description	ioc	process
File opened (read-only)	\??\l:	clopsaqu.exe
File opened (read-only)	\??\e:	clopsaqu.exe
File opened (read-only)	\??\n:	clopsaqu.exe
File opened (read-only)	\??\m:	apypaebubt.exe
File opened (read-only)	\??\q:	clopsaqu.exe
File opened (read-only)	\??\j:	clopsaqu.exe
File opened (read-only)	\??\h:	apypaebubt.exe
File opened (read-only)	\??\z:	apypaebubt.exe
File opened (read-only)	\??\h:	clopsaqu.exe
File opened (read-only)	\??\w:	clopsaqu.exe
File opened (read-only)	\??\q:	clopsaqu.exe
File opened (read-only)	\??\j:	apypaebubt.exe
File opened (read-only)	\??\l:	apypaebubt.exe
File opened (read-only)	\??\y:	clopsaqu.exe
File opened (read-only)	\??\u:	clopsaqu.exe
File opened (read-only)	\??\a:	apypaebubt.exe
File opened (read-only)	\??\s:	clopsaqu.exe
File opened (read-only)	\??\k:	clopsaqu.exe
File opened (read-only)	\??\t:	apypaebubt.exe
File opened (read-only)	\??\u:	apypaebubt.exe
File opened (read-only)	\??\e:	clopsaqu.exe
File opened (read-only)	\??\x:	apypaebubt.exe
File opened (read-only)	\??\z:	clopsaqu.exe
File opened (read-only)	\??\l:	clopsaqu.exe
File opened (read-only)	\??\w:	clopsaqu.exe
File opened (read-only)	\??\z:	clopsaqu.exe
File opened (read-only)	\??\b:	clopsaqu.exe
File opened (read-only)	\??\i:	clopsaqu.exe
File opened (read-only)	\??\a:	clopsaqu.exe
File opened (read-only)	\??\f:	apypaebubt.exe
File opened (read-only)	\??\q:	apypaebubt.exe
File opened (read-only)	\??\k:	apypaebubt.exe
File opened (read-only)	\??\g:	clopsaqu.exe
File opened (read-only)	\??\g:	clopsaqu.exe
File opened (read-only)	\??\t:	clopsaqu.exe
File opened (read-only)	\??\x:	clopsaqu.exe
File opened (read-only)	\??\n:	clopsaqu.exe
File opened (read-only)	\??\o:	clopsaqu.exe
File opened (read-only)	\??\p:	clopsaqu.exe
File opened (read-only)	\??\e:	apypaebubt.exe
File opened (read-only)	\??\r:	apypaebubt.exe
File opened (read-only)	\??\a:	clopsaqu.exe
File opened (read-only)	\??\t:	clopsaqu.exe
File opened (read-only)	\??\b:	clopsaqu.exe
File opened (read-only)	\??\f:	clopsaqu.exe
File opened (read-only)	\??\i:	apypaebubt.exe
File opened (read-only)	\??\p:	clopsaqu.exe
File opened (read-only)	\??\h:	clopsaqu.exe
File opened (read-only)	\??\i:	clopsaqu.exe
File opened (read-only)	\??\m:	clopsaqu.exe
File opened (read-only)	\??\y:	apypaebubt.exe
File opened (read-only)	\??\j:	clopsaqu.exe
File opened (read-only)	\??\m:	clopsaqu.exe
File opened (read-only)	\??\u:	clopsaqu.exe
File opened (read-only)	\??\s:	clopsaqu.exe
File opened (read-only)	\??\n:	apypaebubt.exe
File opened (read-only)	\??\w:	apypaebubt.exe
File opened (read-only)	\??\v:	clopsaqu.exe
File opened (read-only)	\??\y:	clopsaqu.exe
File opened (read-only)	\??\g:	apypaebubt.exe
File opened (read-only)	\??\r:	clopsaqu.exe
File opened (read-only)	\??\s:	apypaebubt.exe
File opened (read-only)	\??\k:	clopsaqu.exe
File opened (read-only)	\??\o:	apypaebubt.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

apypaebubt.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	apypaebubt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	apypaebubt.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/848-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1156-75-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/872-77-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/776-78-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/360-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/848-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1156-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/872-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/776-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/360-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exe

description	ioc	process
File created	C:\Windows\SysWOW64\clopsaqu.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File created	C:\Windows\SysWOW64\apypaebubt.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File created	C:\Windows\SysWOW64\sjviqtrolouhplt.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File opened for modification	C:\Windows\SysWOW64\sjviqtrolouhplt.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File opened for modification	C:\Windows\SysWOW64\amxtayxnsivpe.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	apypaebubt.exe
File opened for modification	C:\Windows\SysWOW64\apypaebubt.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File opened for modification	C:\Windows\SysWOW64\clopsaqu.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File created	C:\Windows\SysWOW64\amxtayxnsivpe.exe	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe

Drops file in Program Files directory 21 IoCs

Processes:

clopsaqu.execlopsaqu.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	clopsaqu.exe
File opened for modification	\??\c:\Program Files\WaitUnblock.doc.exe	clopsaqu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	clopsaqu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	clopsaqu.exe
File created	\??\c:\Program Files\WaitUnblock.doc.exe	clopsaqu.exe
File opened for modification	C:\Program Files\WaitUnblock.nal	clopsaqu.exe
File opened for modification	\??\c:\Program Files\WaitUnblock.doc.exe	clopsaqu.exe
File opened for modification	C:\Program Files\WaitUnblock.doc.exe	clopsaqu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files\WaitUnblock.doc.exe	clopsaqu.exe
File opened for modification	C:\Program Files\WaitUnblock.nal	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	clopsaqu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	clopsaqu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	clopsaqu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	clopsaqu.exe

Drops file in Windows directory 5 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEapypaebubt.exe6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	apypaebubt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	apypaebubt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	apypaebubt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33422D789D2082246A4676D570242DDB7DF565DD"	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	apypaebubt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB1B15F47E138E252CDBAD333EDD4B8"	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	apypaebubt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	apypaebubt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F66BB3FE1822D9D272D0D28A7F9010"	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	apypaebubt.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1716 WINWORD.EXE

pid	process
1716	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exesjviqtrolouhplt.execlopsaqu.execlopsaqu.exe

pid	process
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
776	clopsaqu.exe
776	clopsaqu.exe
776	clopsaqu.exe
776	clopsaqu.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
360	clopsaqu.exe
360	clopsaqu.exe
360	clopsaqu.exe
360	clopsaqu.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exesjviqtrolouhplt.execlopsaqu.execlopsaqu.exe

pid	process
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
776	clopsaqu.exe
776	clopsaqu.exe
776	clopsaqu.exe
360	clopsaqu.exe
360	clopsaqu.exe
360	clopsaqu.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exesjviqtrolouhplt.execlopsaqu.execlopsaqu.exe

pid	process
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
1156	apypaebubt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
872	sjviqtrolouhplt.exe
776	clopsaqu.exe
776	clopsaqu.exe
776	clopsaqu.exe
360	clopsaqu.exe
360	clopsaqu.exe
360	clopsaqu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1716 WINWORD.EXE
1716 WINWORD.EXE

pid	process
1716	WINWORD.EXE
1716	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exeapypaebubt.exeWINWORD.EXE

description	pid	process	target process
PID 848 wrote to memory of 1156	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	apypaebubt.exe
PID 848 wrote to memory of 1156	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	apypaebubt.exe
PID 848 wrote to memory of 1156	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	apypaebubt.exe
PID 848 wrote to memory of 1156	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	apypaebubt.exe
PID 848 wrote to memory of 872	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	sjviqtrolouhplt.exe
PID 848 wrote to memory of 872	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	sjviqtrolouhplt.exe
PID 848 wrote to memory of 872	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	sjviqtrolouhplt.exe
PID 848 wrote to memory of 872	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	sjviqtrolouhplt.exe
PID 848 wrote to memory of 776	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	clopsaqu.exe
PID 848 wrote to memory of 776	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	clopsaqu.exe
PID 848 wrote to memory of 776	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	clopsaqu.exe
PID 848 wrote to memory of 776	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	clopsaqu.exe
PID 848 wrote to memory of 1556	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	amxtayxnsivpe.exe
PID 848 wrote to memory of 1556	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	amxtayxnsivpe.exe
PID 848 wrote to memory of 1556	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	amxtayxnsivpe.exe
PID 848 wrote to memory of 1556	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	amxtayxnsivpe.exe
PID 1156 wrote to memory of 360	1156	apypaebubt.exe	clopsaqu.exe
PID 1156 wrote to memory of 360	1156	apypaebubt.exe	clopsaqu.exe
PID 1156 wrote to memory of 360	1156	apypaebubt.exe	clopsaqu.exe
PID 1156 wrote to memory of 360	1156	apypaebubt.exe	clopsaqu.exe
PID 848 wrote to memory of 1716	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	WINWORD.EXE
PID 848 wrote to memory of 1716	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	WINWORD.EXE
PID 848 wrote to memory of 1716	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	WINWORD.EXE
PID 848 wrote to memory of 1716	848	6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe	WINWORD.EXE
PID 1716 wrote to memory of 912	1716	WINWORD.EXE	splwow64.exe
PID 1716 wrote to memory of 912	1716	WINWORD.EXE	splwow64.exe
PID 1716 wrote to memory of 912	1716	WINWORD.EXE	splwow64.exe
PID 1716 wrote to memory of 912	1716	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe
"C:\Users\Admin\AppData\Local\Temp\6c072b6405bcc7f998627eef9fd42bf2c4a97d97245eae9dd977aeb3f8f1dd43.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\apypaebubt.exe
apypaebubt.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\clopsaqu.exe
C:\Windows\system32\clopsaqu.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:360

C:\Windows\SysWOW64\sjviqtrolouhplt.exe
sjviqtrolouhplt.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:872

C:\Windows\SysWOW64\clopsaqu.exe
clopsaqu.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:776

C:\Windows\SysWOW64\amxtayxnsivpe.exe
amxtayxnsivpe.exe
2⤵
- Executes dropped EXE
PID:1556

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:912

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
255KB

MD5
b8654da8370128fca2f0eb54665a6c3b

SHA1
8053b9e5ace655326702841c51a3c65943b968f3

SHA256
84ca041f3cbcda85b0755ac1a9c8e25eb1c859128b9625c2bd80b06842c6363e

SHA512
02af7ff355ca73789790cc51001fa0e69620a1dc80448cbd0c522ae709189cccdade9b0bc479d068f88568cb8bd7c761b036a887b12dcad02912737732f86f3c

Download Submit
C:\Windows\SysWOW64\amxtayxnsivpe.exe
Filesize
255KB

MD5
3e04093323e11e4c70951bf978d9e23c

SHA1
58a3ac508293e1d6fbb4002c69d9685c06961cfe

SHA256
737d12fd51f0e908a02b28c27960393d34c4456e9146bb3f20bedb8f69187746

SHA512
3fe3830d6110761b52ae39b942604de2b58403d74aa12e8b3ed244556bdc429a1078aba5ae24e5526b2cba04abc49e2a48e5951a42488346aa32094030b6ff0c

Download Submit
C:\Windows\SysWOW64\apypaebubt.exe
Filesize
255KB

MD5
362953a4c2470a2b9a21b246a5f30666

SHA1
0a04fb185e5f2d450eff3235439e46589395ff17

SHA256
6778a5f188c7bb032ad6e9e4419f34de4c93b6bb9fb225fbf27ed12aefb5356f

SHA512
f06b69b56437128210f32a2fd0afb7feb40a4043cb7dd1c860b93ae202a02af12156599a7bae01961ae89297ed6ca3286ee57591a6cc16e55510175340667ed5

Download Submit
C:\Windows\SysWOW64\apypaebubt.exe
Filesize
255KB

MD5
362953a4c2470a2b9a21b246a5f30666

SHA1
0a04fb185e5f2d450eff3235439e46589395ff17

SHA256
6778a5f188c7bb032ad6e9e4419f34de4c93b6bb9fb225fbf27ed12aefb5356f

SHA512
f06b69b56437128210f32a2fd0afb7feb40a4043cb7dd1c860b93ae202a02af12156599a7bae01961ae89297ed6ca3286ee57591a6cc16e55510175340667ed5

Download Submit
C:\Windows\SysWOW64\clopsaqu.exe
Filesize
255KB

MD5
12daba8a19ad8ff21f8297ac7189522f

SHA1
7e9e7bc6a03499c8f67a78799efb5d8350ea15bc

SHA256
eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a

SHA512
b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f

Download Submit
C:\Windows\SysWOW64\clopsaqu.exe
Filesize
255KB

MD5
12daba8a19ad8ff21f8297ac7189522f

SHA1
7e9e7bc6a03499c8f67a78799efb5d8350ea15bc

SHA256
eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a

SHA512
b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f

Download Submit
C:\Windows\SysWOW64\clopsaqu.exe
Filesize
255KB

MD5
12daba8a19ad8ff21f8297ac7189522f

SHA1
7e9e7bc6a03499c8f67a78799efb5d8350ea15bc

SHA256
eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a

SHA512
b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f

Download Submit
C:\Windows\SysWOW64\sjviqtrolouhplt.exe
Filesize
255KB

MD5
f3f24854affbfe982a2243e939759ba4

SHA1
20475a68ab3c193621aeacb0f5d31e10beae9c93

SHA256
19926b8f90491699372a52465272cc9ad52dde88e86309fdfbc5e39928da95db

SHA512
4192c7d54aefec8bd078cddfd3f045c37e435bf0383c517597569bb08bfd97e893721ce27d02603e333cb6609181ed8d29a23c1deef3aa92473920d2f9dee128

Download Submit
C:\Windows\SysWOW64\sjviqtrolouhplt.exe
Filesize
255KB

MD5
f3f24854affbfe982a2243e939759ba4

SHA1
20475a68ab3c193621aeacb0f5d31e10beae9c93

SHA256
19926b8f90491699372a52465272cc9ad52dde88e86309fdfbc5e39928da95db

SHA512
4192c7d54aefec8bd078cddfd3f045c37e435bf0383c517597569bb08bfd97e893721ce27d02603e333cb6609181ed8d29a23c1deef3aa92473920d2f9dee128

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\amxtayxnsivpe.exe
Filesize
255KB

MD5
3e04093323e11e4c70951bf978d9e23c

SHA1
58a3ac508293e1d6fbb4002c69d9685c06961cfe

SHA256
737d12fd51f0e908a02b28c27960393d34c4456e9146bb3f20bedb8f69187746

SHA512
3fe3830d6110761b52ae39b942604de2b58403d74aa12e8b3ed244556bdc429a1078aba5ae24e5526b2cba04abc49e2a48e5951a42488346aa32094030b6ff0c

Download Submit
\Windows\SysWOW64\apypaebubt.exe
Filesize
255KB

MD5
362953a4c2470a2b9a21b246a5f30666

SHA1
0a04fb185e5f2d450eff3235439e46589395ff17

SHA256
6778a5f188c7bb032ad6e9e4419f34de4c93b6bb9fb225fbf27ed12aefb5356f

SHA512
f06b69b56437128210f32a2fd0afb7feb40a4043cb7dd1c860b93ae202a02af12156599a7bae01961ae89297ed6ca3286ee57591a6cc16e55510175340667ed5

Download Submit
\Windows\SysWOW64\clopsaqu.exe
Filesize
255KB

MD5
12daba8a19ad8ff21f8297ac7189522f

SHA1
7e9e7bc6a03499c8f67a78799efb5d8350ea15bc

SHA256
eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a

SHA512
b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f

Download Submit
\Windows\SysWOW64\clopsaqu.exe
Filesize
255KB

MD5
12daba8a19ad8ff21f8297ac7189522f

SHA1
7e9e7bc6a03499c8f67a78799efb5d8350ea15bc

SHA256
eb4ec5818db62869603651579faa448d7e43bb8fa08ed5ee3587ff47c5d3dd8a

SHA512
b40e1e18361761a5c60d73f38f11ed11c3dedd16b28c56042b4e0ad41c1f12a88168560a2be478ae052c2203f18fead3719d7756e3fa84d7746773eb40d6936f

Download Submit
\Windows\SysWOW64\sjviqtrolouhplt.exe
Filesize
255KB

MD5
f3f24854affbfe982a2243e939759ba4

SHA1
20475a68ab3c193621aeacb0f5d31e10beae9c93

SHA256
19926b8f90491699372a52465272cc9ad52dde88e86309fdfbc5e39928da95db

SHA512
4192c7d54aefec8bd078cddfd3f045c37e435bf0383c517597569bb08bfd97e893721ce27d02603e333cb6609181ed8d29a23c1deef3aa92473920d2f9dee128

Download Submit
memory/360-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/360-81-0x0000000000000000-mapping.dmp

Download
memory/360-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/776-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/776-67-0x0000000000000000-mapping.dmp

Download
memory/776-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/848-76-0x00000000023F0000-0x0000000002490000-memory.dmp

Filesize
640KB

Download
memory/848-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/848-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/872-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/872-61-0x0000000000000000-mapping.dmp

Download
memory/872-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/912-99-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/912-98-0x0000000000000000-mapping.dmp

Download
memory/1156-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1156-57-0x0000000000000000-mapping.dmp

Download
memory/1156-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1556-71-0x0000000000000000-mapping.dmp

Download
memory/1556-79-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1716-91-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/1716-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1716-97-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download
memory/1716-88-0x0000000070A51000-0x0000000070A53000-memory.dmp

Filesize
8KB

Download
memory/1716-87-0x0000000072FD1000-0x0000000072FD4000-memory.dmp

Filesize
12KB

Download
memory/1716-85-0x0000000000000000-mapping.dmp

Download
memory/1716-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1716-102-0x0000000071A3D000-0x0000000071A48000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads