9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464

Analysis

max time kernel
151s
max time network
68s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Size

255KB
MD5

97e439bd06e00539d31641727bfccba7
SHA1

a597c080dc652cc2da13305853db37733ad83e10
SHA256

9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464
SHA512

05886a16c5601017db8de501de329511311cf0055789bb3122e530d880d8b2b3412e67bce4aab853ac78a2c28e946d22123b1cf0bc386371204afbd684391dab
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJK:1xlZam+akqx6YQJXcNlEHUIQeE3mmBID

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	cvyqbgmnvc.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	cvyqbgmnvc.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cvyqbgmnvc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cvyqbgmnvc.exe

Executes dropped EXE 5 IoCs

pid	Process
1136	cvyqbgmnvc.exe
1520	tcgtdwnrjloxhhj.exe
1444	yzyobjpu.exe
1744	esxxraotxnnnj.exe
1112	yzyobjpu.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/memory/976-59-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000b0000000122ff-61.dat	upx
behavioral1/files/0x000c0000000054a8-62.dat	upx
behavioral1/memory/1136-64-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000900000001230d-66.dat	upx
behavioral1/files/0x000b0000000122ff-65.dat	upx
behavioral1/files/0x0008000000012311-71.dat	upx
behavioral1/files/0x000900000001230d-68.dat	upx
behavioral1/files/0x0008000000012311-74.dat	upx
behavioral1/files/0x000900000001230d-73.dat	upx
behavioral1/files/0x000b0000000122ff-76.dat	upx
behavioral1/files/0x0008000000012311-77.dat	upx
behavioral1/files/0x000900000001230d-78.dat	upx
behavioral1/files/0x000900000001230d-80.dat	upx
behavioral1/memory/1520-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1444-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1744-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1112-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/976-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1136-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1520-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1444-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1744-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1112-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00070000000132f6-104.dat	upx
behavioral1/files/0x00070000000133d3-105.dat	upx
behavioral1/files/0x00070000000133e5-106.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
1136	cvyqbgmnvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	cvyqbgmnvc.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	tcgtdwnrjloxhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\piljpjlk = "cvyqbgmnvc.exe"	tcgtdwnrjloxhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bwyrrgvx = "tcgtdwnrjloxhhj.exe"	tcgtdwnrjloxhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "esxxraotxnnnj.exe"	tcgtdwnrjloxhhj.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	yzyobjpu.exe
File opened (read-only)	\??\z:	yzyobjpu.exe
File opened (read-only)	\??\j:	yzyobjpu.exe
File opened (read-only)	\??\b:	cvyqbgmnvc.exe
File opened (read-only)	\??\n:	cvyqbgmnvc.exe
File opened (read-only)	\??\q:	cvyqbgmnvc.exe
File opened (read-only)	\??\v:	cvyqbgmnvc.exe
File opened (read-only)	\??\z:	cvyqbgmnvc.exe
File opened (read-only)	\??\a:	cvyqbgmnvc.exe
File opened (read-only)	\??\f:	yzyobjpu.exe
File opened (read-only)	\??\m:	yzyobjpu.exe
File opened (read-only)	\??\g:	yzyobjpu.exe
File opened (read-only)	\??\o:	yzyobjpu.exe
File opened (read-only)	\??\s:	yzyobjpu.exe
File opened (read-only)	\??\u:	yzyobjpu.exe
File opened (read-only)	\??\k:	cvyqbgmnvc.exe
File opened (read-only)	\??\p:	cvyqbgmnvc.exe
File opened (read-only)	\??\r:	cvyqbgmnvc.exe
File opened (read-only)	\??\e:	yzyobjpu.exe
File opened (read-only)	\??\l:	yzyobjpu.exe
File opened (read-only)	\??\r:	yzyobjpu.exe
File opened (read-only)	\??\u:	yzyobjpu.exe
File opened (read-only)	\??\v:	yzyobjpu.exe
File opened (read-only)	\??\z:	yzyobjpu.exe
File opened (read-only)	\??\m:	cvyqbgmnvc.exe
File opened (read-only)	\??\l:	cvyqbgmnvc.exe
File opened (read-only)	\??\o:	cvyqbgmnvc.exe
File opened (read-only)	\??\t:	cvyqbgmnvc.exe
File opened (read-only)	\??\x:	cvyqbgmnvc.exe
File opened (read-only)	\??\b:	yzyobjpu.exe
File opened (read-only)	\??\n:	yzyobjpu.exe
File opened (read-only)	\??\w:	yzyobjpu.exe
File opened (read-only)	\??\f:	cvyqbgmnvc.exe
File opened (read-only)	\??\j:	yzyobjpu.exe
File opened (read-only)	\??\e:	yzyobjpu.exe
File opened (read-only)	\??\q:	yzyobjpu.exe
File opened (read-only)	\??\r:	yzyobjpu.exe
File opened (read-only)	\??\g:	yzyobjpu.exe
File opened (read-only)	\??\i:	yzyobjpu.exe
File opened (read-only)	\??\v:	yzyobjpu.exe
File opened (read-only)	\??\l:	yzyobjpu.exe
File opened (read-only)	\??\e:	cvyqbgmnvc.exe
File opened (read-only)	\??\t:	yzyobjpu.exe
File opened (read-only)	\??\p:	yzyobjpu.exe
File opened (read-only)	\??\t:	yzyobjpu.exe
File opened (read-only)	\??\x:	yzyobjpu.exe
File opened (read-only)	\??\g:	cvyqbgmnvc.exe
File opened (read-only)	\??\h:	yzyobjpu.exe
File opened (read-only)	\??\w:	cvyqbgmnvc.exe
File opened (read-only)	\??\y:	cvyqbgmnvc.exe
File opened (read-only)	\??\b:	yzyobjpu.exe
File opened (read-only)	\??\h:	yzyobjpu.exe
File opened (read-only)	\??\o:	yzyobjpu.exe
File opened (read-only)	\??\a:	yzyobjpu.exe
File opened (read-only)	\??\s:	cvyqbgmnvc.exe
File opened (read-only)	\??\k:	yzyobjpu.exe
File opened (read-only)	\??\n:	yzyobjpu.exe
File opened (read-only)	\??\p:	yzyobjpu.exe
File opened (read-only)	\??\s:	yzyobjpu.exe
File opened (read-only)	\??\x:	yzyobjpu.exe
File opened (read-only)	\??\m:	yzyobjpu.exe
File opened (read-only)	\??\y:	yzyobjpu.exe
File opened (read-only)	\??\y:	yzyobjpu.exe
File opened (read-only)	\??\i:	yzyobjpu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	cvyqbgmnvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	cvyqbgmnvc.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/976-59-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1136-64-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1520-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1444-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1744-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1112-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/976-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1136-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1520-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1444-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1744-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1112-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cvyqbgmnvc.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File created	C:\Windows\SysWOW64\yzyobjpu.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File opened for modification	C:\Windows\SysWOW64\yzyobjpu.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File created	C:\Windows\SysWOW64\esxxraotxnnnj.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File opened for modification	C:\Windows\SysWOW64\esxxraotxnnnj.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	cvyqbgmnvc.exe
File created	C:\Windows\SysWOW64\cvyqbgmnvc.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File created	C:\Windows\SysWOW64\tcgtdwnrjloxhhj.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File opened for modification	C:\Windows\SysWOW64\tcgtdwnrjloxhhj.exe	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	yzyobjpu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	yzyobjpu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	yzyobjpu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yzyobjpu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yzyobjpu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yzyobjpu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yzyobjpu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yzyobjpu.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F16BC3FE6821A9D10BD0A48A759161"	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	cvyqbgmnvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B02044E739ED53CCBAA733EED4B8"	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FACEF96AF2E283743A4686EE3E93B0FC02F843670248E1BD42E808A0"	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	cvyqbgmnvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7E9D2082276A3E76D770542CA97CF164DA"	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C70F1490DBC0B9BD7CE3ECE337BA"	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	cvyqbgmnvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1512	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1520	tcgtdwnrjloxhhj.exe
1520	tcgtdwnrjloxhhj.exe
1520	tcgtdwnrjloxhhj.exe
1520	tcgtdwnrjloxhhj.exe
1112	yzyobjpu.exe
1112	yzyobjpu.exe
1112	yzyobjpu.exe
1112	yzyobjpu.exe
1520	tcgtdwnrjloxhhj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1744	esxxraotxnnnj.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: 33	1460	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1460	AUDIODG.EXE
Token: 33	1460	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1460	AUDIODG.EXE
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe
Token: SeShutdownPrivilege	668	explorer.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1112	yzyobjpu.exe
1112	yzyobjpu.exe
1112	yzyobjpu.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe

Suspicious use of SendNotifyMessage 49 IoCs

pid	Process
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1136	cvyqbgmnvc.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1444	yzyobjpu.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
1520	tcgtdwnrjloxhhj.exe
1744	esxxraotxnnnj.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1512	WINWORD.EXE
1512	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 1136	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	27
PID 976 wrote to memory of 1136	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	27
PID 976 wrote to memory of 1136	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	27
PID 976 wrote to memory of 1136	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	27
PID 976 wrote to memory of 1520	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	28
PID 976 wrote to memory of 1520	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	28
PID 976 wrote to memory of 1520	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	28
PID 976 wrote to memory of 1520	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	28
PID 976 wrote to memory of 1444	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	29
PID 976 wrote to memory of 1444	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	29
PID 976 wrote to memory of 1444	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	29
PID 976 wrote to memory of 1444	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	29
PID 976 wrote to memory of 1744	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	30
PID 976 wrote to memory of 1744	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	30
PID 976 wrote to memory of 1744	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	30
PID 976 wrote to memory of 1744	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	30
PID 1136 wrote to memory of 1112	1136	cvyqbgmnvc.exe	31
PID 1136 wrote to memory of 1112	1136	cvyqbgmnvc.exe	31
PID 1136 wrote to memory of 1112	1136	cvyqbgmnvc.exe	31
PID 1136 wrote to memory of 1112	1136	cvyqbgmnvc.exe	31
PID 976 wrote to memory of 1512	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	32
PID 976 wrote to memory of 1512	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	32
PID 976 wrote to memory of 1512	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	32
PID 976 wrote to memory of 1512	976	9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe	32
PID 1512 wrote to memory of 1664	1512	WINWORD.EXE	39
PID 1512 wrote to memory of 1664	1512	WINWORD.EXE	39
PID 1512 wrote to memory of 1664	1512	WINWORD.EXE	39
PID 1512 wrote to memory of 1664	1512	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe
"C:\Users\Admin\AppData\Local\Temp\9481a108b78197334b5d56aa027c4ee662159b6d20a6eb27f3bc533f52459464.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\cvyqbgmnvc.exe
  cvyqbgmnvc.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\SysWOW64\yzyobjpu.exe
    C:\Windows\system32\yzyobjpu.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1112
- C:\Windows\SysWOW64\tcgtdwnrjloxhhj.exe
  tcgtdwnrjloxhhj.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1520
- C:\Windows\SysWOW64\yzyobjpu.exe
  yzyobjpu.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1444
- C:\Windows\SysWOW64\esxxraotxnnnj.exe
  esxxraotxnnnj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1744
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1664

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x59c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
8dc56afee859cb1213b1b6140e479804

SHA1
64227ab1719a01308191a62575830723b0f59e9e

SHA256
884dcb01f264d082d1ebf190639c843bcf75090e3a929a0cd2e354cd35bea0b4

SHA512
d9d26771e8281bc0293ebcd051b08973353a8485e1cbee7ac184902b518360f45d9158749c234057c451c5ea18bbdf780fcaf753c003d2b03e8f99db5c39be9a

Download Submit
C:\Users\Admin\Desktop\UnpublishExport.doc.exe

Filesize
255KB

MD5
b2e5fb0c949404cc40212732e91e0589

SHA1
1214fce193eff2f0f23fdd7bed67d57ce6ed093a

SHA256
44e1c71f5b83d8d8e73618e5ec09f72ac2c951e3419da0125389a72246c8dbe3

SHA512
55ededb716aae936d11f96903c6688243cabb6c9c779325a6470a77523b559294247a1ddce498174b8911d0c44581874d2b29b0474c4f08d6408205f2f4b256d

Download Submit
C:\Users\Admin\Documents\RestartUnblock.doc.exe

Filesize
255KB

MD5
772d58a2a17114ce0f0ad16ebe6dbda6

SHA1
aec64e1135fb39a9a9fc906889a9b53ac1bbe5f1

SHA256
2c5b3f7711d21c99dd5ed0dd45fc3e2da82de7d854bee37f40d41b1c9cfb6cf2

SHA512
79fd0b1640ae5b2fc1c12c63b2971aba9cb61ca155cacb25d8deb84440cf76aa16b0e87da70b4a27643c2ae49c2c7d62e7f15652bb584bc946061d5d033fd569

Download Submit
C:\Windows\SysWOW64\cvyqbgmnvc.exe

Filesize
255KB

MD5
efd5b4b2b4cda65812ab1f0efc30ae2e

SHA1
7934ccac4034ff3a64d0b7294e6a60487362e3d6

SHA256
59a70b5bf41fb76fbcb7138fafa9664624fbd2551e2985ec3304db0b10670f20

SHA512
fa0eef216b32c9cb80da6f7e47215a9971153f3eecc4178e47d0cc2b0dc0d515825334d7acea29eb2fa3492fdd0bf6764c2fd861e8134449ed21806f39ab1292

Download Submit
C:\Windows\SysWOW64\cvyqbgmnvc.exe

Filesize
255KB

MD5
efd5b4b2b4cda65812ab1f0efc30ae2e

SHA1
7934ccac4034ff3a64d0b7294e6a60487362e3d6

SHA256
59a70b5bf41fb76fbcb7138fafa9664624fbd2551e2985ec3304db0b10670f20

SHA512
fa0eef216b32c9cb80da6f7e47215a9971153f3eecc4178e47d0cc2b0dc0d515825334d7acea29eb2fa3492fdd0bf6764c2fd861e8134449ed21806f39ab1292

Download Submit
C:\Windows\SysWOW64\esxxraotxnnnj.exe

Filesize
255KB

MD5
1631825a11f3e38cf3731f4f02c54970

SHA1
80e113469e0c3e3f9d600995ba3550155d89b411

SHA256
ecfbf352f79d55f7880c27cadffcf9aaaf069d408fd04277ae66ab77747abbb4

SHA512
c400c4d55aa4ab9283514a4f1bafe9a47596c1332936830e36792fb107c45775b3a1f7a108c3610b2a43daa8cfff0f83fa642c80f16ba11d4319af754e9a621e

Download Submit
C:\Windows\SysWOW64\esxxraotxnnnj.exe

Filesize
255KB

MD5
1631825a11f3e38cf3731f4f02c54970

SHA1
80e113469e0c3e3f9d600995ba3550155d89b411

SHA256
ecfbf352f79d55f7880c27cadffcf9aaaf069d408fd04277ae66ab77747abbb4

SHA512
c400c4d55aa4ab9283514a4f1bafe9a47596c1332936830e36792fb107c45775b3a1f7a108c3610b2a43daa8cfff0f83fa642c80f16ba11d4319af754e9a621e

Download Submit
C:\Windows\SysWOW64\tcgtdwnrjloxhhj.exe

Filesize
255KB

MD5
c8d7ab53f2cb737629c4e75f6541c88b

SHA1
e560fb94726eb74f4bd5d37c15ef3385cddaa674

SHA256
e13d10a68780b7493921b53eaac2d4b38d3da4f5fa0397d8fd5852df0a6cde02

SHA512
21d85b3772e1021059ac7ae3d225754fc5f03fecc3b70ac0a24a6320daf102cae710b9f0922005c3799265b5e47331c88a88e0b995bcabac9297d26f3136fa57

Download Submit
C:\Windows\SysWOW64\tcgtdwnrjloxhhj.exe

Filesize
255KB

MD5
c8d7ab53f2cb737629c4e75f6541c88b

SHA1
e560fb94726eb74f4bd5d37c15ef3385cddaa674

SHA256
e13d10a68780b7493921b53eaac2d4b38d3da4f5fa0397d8fd5852df0a6cde02

SHA512
21d85b3772e1021059ac7ae3d225754fc5f03fecc3b70ac0a24a6320daf102cae710b9f0922005c3799265b5e47331c88a88e0b995bcabac9297d26f3136fa57

Download Submit
C:\Windows\SysWOW64\yzyobjpu.exe

Filesize
255KB

MD5
1f0e653a667d88d47d7c2ce83eb3be83

SHA1
a253c13b1cf019dc25a09f6dd27f08b98b33e0b3

SHA256
7367b442dbf6610d08c8820c1f5e92265bd7c85516a4e2e10f1cffb2cf081e16

SHA512
94127a1c820d836529040aa99ed35b3c9da8608d4e2f657731c14bfde8cb6da0a2d8647282e83759dd85b23b9050e067a01642a1a22b2ec0ea2ece9fa1097f77

Download Submit
C:\Windows\SysWOW64\yzyobjpu.exe

Filesize
255KB

MD5
1f0e653a667d88d47d7c2ce83eb3be83

SHA1
a253c13b1cf019dc25a09f6dd27f08b98b33e0b3

SHA256
7367b442dbf6610d08c8820c1f5e92265bd7c85516a4e2e10f1cffb2cf081e16

SHA512
94127a1c820d836529040aa99ed35b3c9da8608d4e2f657731c14bfde8cb6da0a2d8647282e83759dd85b23b9050e067a01642a1a22b2ec0ea2ece9fa1097f77

Download Submit
C:\Windows\SysWOW64\yzyobjpu.exe

Filesize
255KB

MD5
1f0e653a667d88d47d7c2ce83eb3be83

SHA1
a253c13b1cf019dc25a09f6dd27f08b98b33e0b3

SHA256
7367b442dbf6610d08c8820c1f5e92265bd7c85516a4e2e10f1cffb2cf081e16

SHA512
94127a1c820d836529040aa99ed35b3c9da8608d4e2f657731c14bfde8cb6da0a2d8647282e83759dd85b23b9050e067a01642a1a22b2ec0ea2ece9fa1097f77

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\cvyqbgmnvc.exe

Filesize
255KB

MD5
efd5b4b2b4cda65812ab1f0efc30ae2e

SHA1
7934ccac4034ff3a64d0b7294e6a60487362e3d6

SHA256
59a70b5bf41fb76fbcb7138fafa9664624fbd2551e2985ec3304db0b10670f20

SHA512
fa0eef216b32c9cb80da6f7e47215a9971153f3eecc4178e47d0cc2b0dc0d515825334d7acea29eb2fa3492fdd0bf6764c2fd861e8134449ed21806f39ab1292

Download Submit
\Windows\SysWOW64\esxxraotxnnnj.exe

Filesize
255KB

MD5
1631825a11f3e38cf3731f4f02c54970

SHA1
80e113469e0c3e3f9d600995ba3550155d89b411

SHA256
ecfbf352f79d55f7880c27cadffcf9aaaf069d408fd04277ae66ab77747abbb4

SHA512
c400c4d55aa4ab9283514a4f1bafe9a47596c1332936830e36792fb107c45775b3a1f7a108c3610b2a43daa8cfff0f83fa642c80f16ba11d4319af754e9a621e

Download Submit
\Windows\SysWOW64\tcgtdwnrjloxhhj.exe

Filesize
255KB

MD5
c8d7ab53f2cb737629c4e75f6541c88b

SHA1
e560fb94726eb74f4bd5d37c15ef3385cddaa674

SHA256
e13d10a68780b7493921b53eaac2d4b38d3da4f5fa0397d8fd5852df0a6cde02

SHA512
21d85b3772e1021059ac7ae3d225754fc5f03fecc3b70ac0a24a6320daf102cae710b9f0922005c3799265b5e47331c88a88e0b995bcabac9297d26f3136fa57

Download Submit
\Windows\SysWOW64\yzyobjpu.exe

Filesize
255KB

MD5
1f0e653a667d88d47d7c2ce83eb3be83

SHA1
a253c13b1cf019dc25a09f6dd27f08b98b33e0b3

SHA256
7367b442dbf6610d08c8820c1f5e92265bd7c85516a4e2e10f1cffb2cf081e16

SHA512
94127a1c820d836529040aa99ed35b3c9da8608d4e2f657731c14bfde8cb6da0a2d8647282e83759dd85b23b9050e067a01642a1a22b2ec0ea2ece9fa1097f77

Download Submit
\Windows\SysWOW64\yzyobjpu.exe

Filesize
255KB

MD5
1f0e653a667d88d47d7c2ce83eb3be83

SHA1
a253c13b1cf019dc25a09f6dd27f08b98b33e0b3

SHA256
7367b442dbf6610d08c8820c1f5e92265bd7c85516a4e2e10f1cffb2cf081e16

SHA512
94127a1c820d836529040aa99ed35b3c9da8608d4e2f657731c14bfde8cb6da0a2d8647282e83759dd85b23b9050e067a01642a1a22b2ec0ea2ece9fa1097f77

Download Submit
memory/668-91-0x000007FEFB5A1000-0x000007FEFB5A3000-memory.dmp

Filesize
8KB

Download
memory/976-59-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/976-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/976-60-0x00000000032B0000-0x0000000003350000-memory.dmp

Filesize
640KB

Download
memory/976-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/976-82-0x00000000032B0000-0x0000000003350000-memory.dmp

Filesize
640KB

Download
memory/1112-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1112-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1136-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1136-64-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1444-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1444-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1512-90-0x000000006FF21000-0x000000006FF23000-memory.dmp

Filesize
8KB

Download
memory/1512-89-0x00000000724A1000-0x00000000724A4000-memory.dmp

Filesize
12KB

Download
memory/1512-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1512-99-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/1512-101-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/1520-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1520-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1744-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1744-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download