c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
Size

255KB
MD5

5c92c2744a434f94e8edb56a25b2ec2f
SHA1

f17731b0ea8846b838c71dab00476de9af341194
SHA256

c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033
SHA512

b1d0296a9b8b35f8a311ed6a43909022b841657bf28840d521925e1fa76b6125b937f96eab58fe2d61f7c681e12a56f6bd8e3c0861a5f65fc40868e341c4b0cb
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJj:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mrpuqfoywy.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mrpuqfoywy.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mrpuqfoywy.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mrpuqfoywy.exe

Executes dropped EXE 6 IoCs

pid	Process
896	mrpuqfoywy.exe
956	holkeolxaicadpb.exe
1644	hpuamvln.exe
1552	tqhxpcntrrwmx.exe
1152	hpuamvln.exe
112	tqhxpcntrrwmx.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x0009000000013a13-59.dat	upx
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x0009000000013a13-61.dat	upx
behavioral1/files/0x0006000000014159-63.dat	upx
behavioral1/files/0x00140000000054ab-62.dat	upx
behavioral1/files/0x0006000000014159-66.dat	upx
behavioral1/files/0x0009000000013a13-68.dat	upx
behavioral1/files/0x000600000001420e-69.dat	upx
behavioral1/files/0x000600000001420e-71.dat	upx
behavioral1/files/0x0006000000014159-72.dat	upx
behavioral1/files/0x000600000001420e-74.dat	upx
behavioral1/files/0x0006000000014159-75.dat	upx
behavioral1/files/0x0006000000014159-78.dat	upx
behavioral1/memory/2032-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000600000001420e-80.dat	upx
behavioral1/files/0x000600000001420e-83.dat	upx
behavioral1/memory/896-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/956-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1644-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1152-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2032-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/112-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0006000000014af2-102.dat	upx
behavioral1/files/0x0006000000014af2-103.dat	upx
behavioral1/files/0x0006000000014b6f-104.dat	upx
behavioral1/files/0x0006000000014baa-105.dat	upx
behavioral1/files/0x0006000000014baa-106.dat	upx
behavioral1/memory/896-107-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1644-109-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/956-108-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1552-110-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1152-112-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/112-113-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
896	mrpuqfoywy.exe
364	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	mrpuqfoywy.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tqhxpcntrrwmx.exe"	holkeolxaicadpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	holkeolxaicadpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lmhoidru = "mrpuqfoywy.exe"	holkeolxaicadpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nmqhnsfn = "holkeolxaicadpb.exe"	holkeolxaicadpb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	hpuamvln.exe
File opened (read-only)	\??\v:	hpuamvln.exe
File opened (read-only)	\??\a:	mrpuqfoywy.exe
File opened (read-only)	\??\x:	mrpuqfoywy.exe
File opened (read-only)	\??\w:	hpuamvln.exe
File opened (read-only)	\??\g:	hpuamvln.exe
File opened (read-only)	\??\t:	mrpuqfoywy.exe
File opened (read-only)	\??\z:	hpuamvln.exe
File opened (read-only)	\??\q:	mrpuqfoywy.exe
File opened (read-only)	\??\q:	hpuamvln.exe
File opened (read-only)	\??\h:	mrpuqfoywy.exe
File opened (read-only)	\??\e:	hpuamvln.exe
File opened (read-only)	\??\n:	hpuamvln.exe
File opened (read-only)	\??\p:	hpuamvln.exe
File opened (read-only)	\??\r:	hpuamvln.exe
File opened (read-only)	\??\m:	hpuamvln.exe
File opened (read-only)	\??\u:	hpuamvln.exe
File opened (read-only)	\??\a:	hpuamvln.exe
File opened (read-only)	\??\e:	mrpuqfoywy.exe
File opened (read-only)	\??\k:	mrpuqfoywy.exe
File opened (read-only)	\??\r:	mrpuqfoywy.exe
File opened (read-only)	\??\y:	mrpuqfoywy.exe
File opened (read-only)	\??\q:	hpuamvln.exe
File opened (read-only)	\??\x:	hpuamvln.exe
File opened (read-only)	\??\j:	mrpuqfoywy.exe
File opened (read-only)	\??\i:	hpuamvln.exe
File opened (read-only)	\??\t:	hpuamvln.exe
File opened (read-only)	\??\w:	hpuamvln.exe
File opened (read-only)	\??\k:	hpuamvln.exe
File opened (read-only)	\??\h:	hpuamvln.exe
File opened (read-only)	\??\f:	hpuamvln.exe
File opened (read-only)	\??\s:	hpuamvln.exe
File opened (read-only)	\??\i:	mrpuqfoywy.exe
File opened (read-only)	\??\e:	hpuamvln.exe
File opened (read-only)	\??\k:	hpuamvln.exe
File opened (read-only)	\??\l:	hpuamvln.exe
File opened (read-only)	\??\x:	hpuamvln.exe
File opened (read-only)	\??\a:	hpuamvln.exe
File opened (read-only)	\??\b:	mrpuqfoywy.exe
File opened (read-only)	\??\n:	mrpuqfoywy.exe
File opened (read-only)	\??\o:	mrpuqfoywy.exe
File opened (read-only)	\??\b:	hpuamvln.exe
File opened (read-only)	\??\t:	hpuamvln.exe
File opened (read-only)	\??\f:	mrpuqfoywy.exe
File opened (read-only)	\??\g:	mrpuqfoywy.exe
File opened (read-only)	\??\v:	mrpuqfoywy.exe
File opened (read-only)	\??\w:	mrpuqfoywy.exe
File opened (read-only)	\??\n:	hpuamvln.exe
File opened (read-only)	\??\z:	hpuamvln.exe
File opened (read-only)	\??\u:	hpuamvln.exe
File opened (read-only)	\??\s:	hpuamvln.exe
File opened (read-only)	\??\m:	mrpuqfoywy.exe
File opened (read-only)	\??\f:	hpuamvln.exe
File opened (read-only)	\??\g:	hpuamvln.exe
File opened (read-only)	\??\o:	hpuamvln.exe
File opened (read-only)	\??\y:	hpuamvln.exe
File opened (read-only)	\??\u:	mrpuqfoywy.exe
File opened (read-only)	\??\z:	mrpuqfoywy.exe
File opened (read-only)	\??\j:	hpuamvln.exe
File opened (read-only)	\??\r:	hpuamvln.exe
File opened (read-only)	\??\v:	hpuamvln.exe
File opened (read-only)	\??\l:	hpuamvln.exe
File opened (read-only)	\??\l:	mrpuqfoywy.exe
File opened (read-only)	\??\p:	mrpuqfoywy.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	mrpuqfoywy.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	mrpuqfoywy.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2032-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/896-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/956-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1644-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1152-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2032-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/112-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/896-107-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1644-109-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/956-108-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1552-110-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1152-112-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/112-113-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\holkeolxaicadpb.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File opened for modification	C:\Windows\SysWOW64\holkeolxaicadpb.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File created	C:\Windows\SysWOW64\tqhxpcntrrwmx.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File opened for modification	C:\Windows\SysWOW64\tqhxpcntrrwmx.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File created	C:\Windows\SysWOW64\mrpuqfoywy.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File opened for modification	C:\Windows\SysWOW64\mrpuqfoywy.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File created	C:\Windows\SysWOW64\hpuamvln.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File opened for modification	C:\Windows\SysWOW64\hpuamvln.exe	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	mrpuqfoywy.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hpuamvln.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hpuamvln.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hpuamvln.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hpuamvln.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hpuamvln.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hpuamvln.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hpuamvln.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hpuamvln.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FCF9482882199047D75D7DE2BC90E630584566406333D69C"	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC67C14E3DAB3B8CA7FE7EDE334C7"	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	mrpuqfoywy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	mrpuqfoywy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	mrpuqfoywy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFABBF961F19283753B3786973E99B08E02FD43120338E1CA459908A8"	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1904	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
956	holkeolxaicadpb.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
956	holkeolxaicadpb.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
956	holkeolxaicadpb.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
956	holkeolxaicadpb.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
956	holkeolxaicadpb.exe
112	tqhxpcntrrwmx.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
896	mrpuqfoywy.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
956	holkeolxaicadpb.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1644	hpuamvln.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1552	tqhxpcntrrwmx.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
1152	hpuamvln.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe
112	tqhxpcntrrwmx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1904	WINWORD.EXE
1904	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 896	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	27
PID 2032 wrote to memory of 896	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	27
PID 2032 wrote to memory of 896	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	27
PID 2032 wrote to memory of 896	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	27
PID 2032 wrote to memory of 956	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	28
PID 2032 wrote to memory of 956	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	28
PID 2032 wrote to memory of 956	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	28
PID 2032 wrote to memory of 956	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	28
PID 2032 wrote to memory of 1644	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	29
PID 2032 wrote to memory of 1644	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	29
PID 2032 wrote to memory of 1644	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	29
PID 2032 wrote to memory of 1644	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	29
PID 2032 wrote to memory of 1552	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	30
PID 2032 wrote to memory of 1552	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	30
PID 2032 wrote to memory of 1552	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	30
PID 2032 wrote to memory of 1552	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	30
PID 896 wrote to memory of 1152	896	mrpuqfoywy.exe	32
PID 896 wrote to memory of 1152	896	mrpuqfoywy.exe	32
PID 896 wrote to memory of 1152	896	mrpuqfoywy.exe	32
PID 896 wrote to memory of 1152	896	mrpuqfoywy.exe	32
PID 956 wrote to memory of 364	956	holkeolxaicadpb.exe	31
PID 956 wrote to memory of 364	956	holkeolxaicadpb.exe	31
PID 956 wrote to memory of 364	956	holkeolxaicadpb.exe	31
PID 956 wrote to memory of 364	956	holkeolxaicadpb.exe	31
PID 364 wrote to memory of 112	364	cmd.exe	34
PID 364 wrote to memory of 112	364	cmd.exe	34
PID 364 wrote to memory of 112	364	cmd.exe	34
PID 364 wrote to memory of 112	364	cmd.exe	34
PID 2032 wrote to memory of 1904	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	35
PID 2032 wrote to memory of 1904	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	35
PID 2032 wrote to memory of 1904	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	35
PID 2032 wrote to memory of 1904	2032	c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe	35
PID 1904 wrote to memory of 1308	1904	WINWORD.EXE	39
PID 1904 wrote to memory of 1308	1904	WINWORD.EXE	39
PID 1904 wrote to memory of 1308	1904	WINWORD.EXE	39
PID 1904 wrote to memory of 1308	1904	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe
"C:\Users\Admin\AppData\Local\Temp\c4de8f36a329efc4399d74fe06a89f5f372701ccfaaa410487aa22fe5b023033.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\mrpuqfoywy.exe
  mrpuqfoywy.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\hpuamvln.exe
    C:\Windows\system32\hpuamvln.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1152
- C:\Windows\SysWOW64\holkeolxaicadpb.exe
  holkeolxaicadpb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c tqhxpcntrrwmx.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Windows\SysWOW64\tqhxpcntrrwmx.exe
      tqhxpcntrrwmx.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:112
- C:\Windows\SysWOW64\hpuamvln.exe
  hpuamvln.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1644
- C:\Windows\SysWOW64\tqhxpcntrrwmx.exe
  tqhxpcntrrwmx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1552
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
c18f68451d79d904277a00df807b3ccc

SHA1
3269d9e703e8ac1b80d574fce8686d30ece4c4ca

SHA256
f05ade1292f0e08887fdedc78696aa91b7290b9303662b4fb7a9beb7d0379ce5

SHA512
afda9b66974caa2a13cbdc003605b48b2f77200d3571d6a8ccd7e71c908a968593f4e02406fc0a05a4776be691fc7558fa707176bb9625129f2d57267f119a60

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
282126cb4e9121cc2e24cbea1a3f0b84

SHA1
9e0037d8cd9ce5d6303f06c1647876a04a6cfcc0

SHA256
bb6e3dd822a9f2a193592f0115a247799e5f316c59033993cdec3c63270514aa

SHA512
63c012a5cc9b5e34c8ddf1610fe3608aca3061f5c666e58df1073c9001a2487a0c62ac738d921e7cedd8d2b0031ce220bb007d9be6fb13988e58ee1d8dd8082c

Download Submit
C:\Users\Admin\Documents\SwitchUnlock.doc.exe

Filesize
255KB

MD5
963576839f9b14086c1b90e0ce083ac8

SHA1
f81a09cf88c10a05bfc9f2548762108199b525a3

SHA256
3e818240cf5c67923827a986d97e348e284304f2622ef920fe4b7b85d65704c7

SHA512
30f38b826a25205dcce9fcfab27d32451b083f589dd03ee8730c05b6a53a33a84fa37b09a9766037a0b0017b3b5f9687b3102a43e2c307a930c6358f85716efe

Download Submit
C:\Users\Admin\Documents\SwitchUnlock.doc.exe

Filesize
255KB

MD5
1cb99c8f8d4a2c1e6be3bf1816543259

SHA1
a0ecbf563ac8a2d5ccbab32dc63c252fb34e8f47

SHA256
f25132f1fc75b62ed3e31e30e09ffccc210a6fd5647801b2ba1bd654141f46f8

SHA512
c78918cecd387a5cf79a7bb8c3c716ef1c892bac463d3dd4061a61c5d0bb9c27c538229487b7c3173e440e405a6458338e9397c469c40bbba047fac81432b1ea

Download Submit
C:\Windows\SysWOW64\holkeolxaicadpb.exe

Filesize
255KB

MD5
dabe504e8827450a788b6619e3eba936

SHA1
e052b26b106e3b2dc08e48b2b929918f291f9140

SHA256
56634425673dac4809e16218d5911d5054fdd7a36503935df50690c06fe196ff

SHA512
8ad3ab16f68b071f504c8c619edaa7a7a73297d538a56a358aec40542d930cd8dc0fffcea50b4970038c4d103a2a28cf375f7a8fd09b6e949c6d75334f18fcfb

Download Submit
C:\Windows\SysWOW64\holkeolxaicadpb.exe

Filesize
255KB

MD5
dabe504e8827450a788b6619e3eba936

SHA1
e052b26b106e3b2dc08e48b2b929918f291f9140

SHA256
56634425673dac4809e16218d5911d5054fdd7a36503935df50690c06fe196ff

SHA512
8ad3ab16f68b071f504c8c619edaa7a7a73297d538a56a358aec40542d930cd8dc0fffcea50b4970038c4d103a2a28cf375f7a8fd09b6e949c6d75334f18fcfb

Download Submit
C:\Windows\SysWOW64\hpuamvln.exe

Filesize
255KB

MD5
e08f6c00e5820dcb2c02b390ad2c2aac

SHA1
afc488c66f3480acb86ba80ce335c63e02b18b6f

SHA256
ea635c48d9b78611a50448271ed5eb837fde9a3edb8b3292e4d5d8751accba46

SHA512
fae499f3d5a727a2472dee2bf0783652e6f87b281306b58a9c4723962780642106813235c7096f09a4b18d27b08becb6d51fd3e53b291210d569376de890bc24

Download Submit
C:\Windows\SysWOW64\hpuamvln.exe

Filesize
255KB

MD5
e08f6c00e5820dcb2c02b390ad2c2aac

SHA1
afc488c66f3480acb86ba80ce335c63e02b18b6f

SHA256
ea635c48d9b78611a50448271ed5eb837fde9a3edb8b3292e4d5d8751accba46

SHA512
fae499f3d5a727a2472dee2bf0783652e6f87b281306b58a9c4723962780642106813235c7096f09a4b18d27b08becb6d51fd3e53b291210d569376de890bc24

Download Submit
C:\Windows\SysWOW64\hpuamvln.exe

Filesize
255KB

MD5
e08f6c00e5820dcb2c02b390ad2c2aac

SHA1
afc488c66f3480acb86ba80ce335c63e02b18b6f

SHA256
ea635c48d9b78611a50448271ed5eb837fde9a3edb8b3292e4d5d8751accba46

SHA512
fae499f3d5a727a2472dee2bf0783652e6f87b281306b58a9c4723962780642106813235c7096f09a4b18d27b08becb6d51fd3e53b291210d569376de890bc24

Download Submit
C:\Windows\SysWOW64\mrpuqfoywy.exe

Filesize
255KB

MD5
0ec1868666785e061cb8ee9842971ae4

SHA1
8ed179364f7dee8866cffaa8bb96963ac0d128b3

SHA256
1a50652eb7aa00922fbfa6af69252137212241dc7f1da63530d5bb192d4427fb

SHA512
4256169fc8837f3581ae574ceba33bfc294ff9436a07a4c749a5388776391e7c94532aeb16ee2d74de0befccbde885bf24196db873c9154182f590083e0d1d25

Download Submit
C:\Windows\SysWOW64\mrpuqfoywy.exe

Filesize
255KB

MD5
0ec1868666785e061cb8ee9842971ae4

SHA1
8ed179364f7dee8866cffaa8bb96963ac0d128b3

SHA256
1a50652eb7aa00922fbfa6af69252137212241dc7f1da63530d5bb192d4427fb

SHA512
4256169fc8837f3581ae574ceba33bfc294ff9436a07a4c749a5388776391e7c94532aeb16ee2d74de0befccbde885bf24196db873c9154182f590083e0d1d25

Download Submit
C:\Windows\SysWOW64\tqhxpcntrrwmx.exe

Filesize
255KB

MD5
b96073ea66788b1c56bce759f8349cff

SHA1
e6f274622b2a09a005ee914d678416ee10bce7c6

SHA256
2b7d21ee6a5964cc5b0573f045258d285f503cdd0466b817d1e320d8a80b81ac

SHA512
4408aaa4d41226ab9c32e7937568b2eff0eeca2b25505ad89da38273c320a652ee2c842536a598c26eb6e9c6a7171886d2aaa69f50e2681bc22552f0c15ed308

Download Submit
C:\Windows\SysWOW64\tqhxpcntrrwmx.exe

Filesize
255KB

MD5
b96073ea66788b1c56bce759f8349cff

SHA1
e6f274622b2a09a005ee914d678416ee10bce7c6

SHA256
2b7d21ee6a5964cc5b0573f045258d285f503cdd0466b817d1e320d8a80b81ac

SHA512
4408aaa4d41226ab9c32e7937568b2eff0eeca2b25505ad89da38273c320a652ee2c842536a598c26eb6e9c6a7171886d2aaa69f50e2681bc22552f0c15ed308

Download Submit
C:\Windows\SysWOW64\tqhxpcntrrwmx.exe

Filesize
255KB

MD5
b96073ea66788b1c56bce759f8349cff

SHA1
e6f274622b2a09a005ee914d678416ee10bce7c6

SHA256
2b7d21ee6a5964cc5b0573f045258d285f503cdd0466b817d1e320d8a80b81ac

SHA512
4408aaa4d41226ab9c32e7937568b2eff0eeca2b25505ad89da38273c320a652ee2c842536a598c26eb6e9c6a7171886d2aaa69f50e2681bc22552f0c15ed308

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
d1ce04f2705e35b3defaf526755cc14b

SHA1
734265d4a11a81c380ce89e0f2cb3ed1a026c8cc

SHA256
6f5d51b38390228b04c8fe6b4450c28531c1fe322dd78b4999dabee767017223

SHA512
c5993045b2b2c91fce204959c3314e858b083b3b5ace27293d2ff197529810b36360b9670bbf2dd8dda78efd69daa93728294df70e06db887e85f781dc64e750

Download Submit
\Windows\SysWOW64\holkeolxaicadpb.exe

Filesize
255KB

MD5
dabe504e8827450a788b6619e3eba936

SHA1
e052b26b106e3b2dc08e48b2b929918f291f9140

SHA256
56634425673dac4809e16218d5911d5054fdd7a36503935df50690c06fe196ff

SHA512
8ad3ab16f68b071f504c8c619edaa7a7a73297d538a56a358aec40542d930cd8dc0fffcea50b4970038c4d103a2a28cf375f7a8fd09b6e949c6d75334f18fcfb

Download Submit
\Windows\SysWOW64\hpuamvln.exe

Filesize
255KB

MD5
e08f6c00e5820dcb2c02b390ad2c2aac

SHA1
afc488c66f3480acb86ba80ce335c63e02b18b6f

SHA256
ea635c48d9b78611a50448271ed5eb837fde9a3edb8b3292e4d5d8751accba46

SHA512
fae499f3d5a727a2472dee2bf0783652e6f87b281306b58a9c4723962780642106813235c7096f09a4b18d27b08becb6d51fd3e53b291210d569376de890bc24

Download Submit
\Windows\SysWOW64\hpuamvln.exe

Filesize
255KB

MD5
e08f6c00e5820dcb2c02b390ad2c2aac

SHA1
afc488c66f3480acb86ba80ce335c63e02b18b6f

SHA256
ea635c48d9b78611a50448271ed5eb837fde9a3edb8b3292e4d5d8751accba46

SHA512
fae499f3d5a727a2472dee2bf0783652e6f87b281306b58a9c4723962780642106813235c7096f09a4b18d27b08becb6d51fd3e53b291210d569376de890bc24

Download Submit
\Windows\SysWOW64\mrpuqfoywy.exe

Filesize
255KB

MD5
0ec1868666785e061cb8ee9842971ae4

SHA1
8ed179364f7dee8866cffaa8bb96963ac0d128b3

SHA256
1a50652eb7aa00922fbfa6af69252137212241dc7f1da63530d5bb192d4427fb

SHA512
4256169fc8837f3581ae574ceba33bfc294ff9436a07a4c749a5388776391e7c94532aeb16ee2d74de0befccbde885bf24196db873c9154182f590083e0d1d25

Download Submit
\Windows\SysWOW64\tqhxpcntrrwmx.exe

Filesize
255KB

MD5
b96073ea66788b1c56bce759f8349cff

SHA1
e6f274622b2a09a005ee914d678416ee10bce7c6

SHA256
2b7d21ee6a5964cc5b0573f045258d285f503cdd0466b817d1e320d8a80b81ac

SHA512
4408aaa4d41226ab9c32e7937568b2eff0eeca2b25505ad89da38273c320a652ee2c842536a598c26eb6e9c6a7171886d2aaa69f50e2681bc22552f0c15ed308

Download Submit
\Windows\SysWOW64\tqhxpcntrrwmx.exe

Filesize
255KB

MD5
b96073ea66788b1c56bce759f8349cff

SHA1
e6f274622b2a09a005ee914d678416ee10bce7c6

SHA256
2b7d21ee6a5964cc5b0573f045258d285f503cdd0466b817d1e320d8a80b81ac

SHA512
4408aaa4d41226ab9c32e7937568b2eff0eeca2b25505ad89da38273c320a652ee2c842536a598c26eb6e9c6a7171886d2aaa69f50e2681bc22552f0c15ed308

Download Submit
memory/112-113-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/112-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/896-111-0x0000000002C20000-0x0000000002CC0000-memory.dmp

Filesize
640KB

Download
memory/896-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/896-107-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/956-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/956-108-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1152-112-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1152-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1308-116-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1552-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1552-110-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1644-109-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1644-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1904-114-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/1904-118-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/1904-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-96-0x0000000070181000-0x0000000070183000-memory.dmp

Filesize
8KB

Download
memory/1904-101-0x000000007116D000-0x0000000071178000-memory.dmp

Filesize
44KB

Download
memory/1904-95-0x0000000072701000-0x0000000072704000-memory.dmp

Filesize
12KB

Download
memory/2032-90-0x00000000032E0000-0x0000000003380000-memory.dmp

Filesize
640KB

Download
memory/2032-87-0x00000000032E0000-0x0000000003380000-memory.dmp

Filesize
640KB

Download
memory/2032-85-0x00000000032E0000-0x0000000003380000-memory.dmp

Filesize
640KB

Download
memory/2032-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2032-54-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/2032-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download