eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e

Analysis

max time kernel
174s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
Size

255KB
MD5

40527cd1cd4784f0e47dbc5b3a05b600
SHA1

2b0e60502ecbd26bb3c4b8da6fdaa15a894a9fb8
SHA256

eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e
SHA512

665e47ead615771fd1dc95bb8661adbc534f1a93c6e2fc5b223f9e23e86c39e01e2623002ad9608880505bf07a8354efdb4975bba15e4c7b61dd706620796e43
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJq:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIp

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	trhwfxawbv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	trhwfxawbv.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	trhwfxawbv.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	trhwfxawbv.exe

Executes dropped EXE 6 IoCs

pid	Process
876	trhwfxawbv.exe
596	vozdcdifynpetqo.exe
580	cjyvphab.exe
1804	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1284	cjyvphab.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/960-54-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/960-56-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00090000000141fc-57.dat	upx
behavioral1/files/0x00090000000141fc-59.dat	upx
behavioral1/files/0x00090000000141fc-61.dat	upx
behavioral1/files/0x0008000000014247-62.dat	upx
behavioral1/files/0x0008000000014247-64.dat	upx
behavioral1/files/0x0008000000014247-66.dat	upx
behavioral1/files/0x00070000000142e0-67.dat	upx
behavioral1/files/0x00070000000142e0-69.dat	upx
behavioral1/files/0x00070000000143b0-71.dat	upx
behavioral1/files/0x00070000000142e0-73.dat	upx
behavioral1/files/0x00070000000143b0-74.dat	upx
behavioral1/files/0x00070000000143b0-76.dat	upx
behavioral1/files/0x00070000000143b0-78.dat	upx
behavioral1/files/0x00070000000143b0-80.dat	upx
behavioral1/memory/876-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/596-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1804-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/580-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/964-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00070000000142e0-88.dat	upx
behavioral1/files/0x00070000000142e0-90.dat	upx
behavioral1/memory/1284-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/960-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/876-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/596-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1804-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/580-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/964-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1284-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00060000000153cf-110.dat	upx
behavioral1/files/0x00060000000153cf-111.dat	upx
behavioral1/files/0x00060000000155b6-112.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
840	cmd.exe
876	trhwfxawbv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	trhwfxawbv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jsuralvd = "trhwfxawbv.exe"	vozdcdifynpetqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mezzbpgf = "vozdcdifynpetqo.exe"	vozdcdifynpetqo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dqweumtibjkjt.exe"	vozdcdifynpetqo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vozdcdifynpetqo.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	trhwfxawbv.exe
File opened (read-only)	\??\t:	trhwfxawbv.exe
File opened (read-only)	\??\t:	cjyvphab.exe
File opened (read-only)	\??\y:	cjyvphab.exe
File opened (read-only)	\??\f:	cjyvphab.exe
File opened (read-only)	\??\i:	cjyvphab.exe
File opened (read-only)	\??\n:	trhwfxawbv.exe
File opened (read-only)	\??\j:	cjyvphab.exe
File opened (read-only)	\??\o:	trhwfxawbv.exe
File opened (read-only)	\??\e:	cjyvphab.exe
File opened (read-only)	\??\g:	cjyvphab.exe
File opened (read-only)	\??\j:	cjyvphab.exe
File opened (read-only)	\??\l:	cjyvphab.exe
File opened (read-only)	\??\p:	cjyvphab.exe
File opened (read-only)	\??\q:	cjyvphab.exe
File opened (read-only)	\??\z:	cjyvphab.exe
File opened (read-only)	\??\b:	cjyvphab.exe
File opened (read-only)	\??\f:	cjyvphab.exe
File opened (read-only)	\??\q:	cjyvphab.exe
File opened (read-only)	\??\w:	cjyvphab.exe
File opened (read-only)	\??\m:	cjyvphab.exe
File opened (read-only)	\??\e:	cjyvphab.exe
File opened (read-only)	\??\r:	cjyvphab.exe
File opened (read-only)	\??\a:	cjyvphab.exe
File opened (read-only)	\??\h:	cjyvphab.exe
File opened (read-only)	\??\z:	trhwfxawbv.exe
File opened (read-only)	\??\l:	cjyvphab.exe
File opened (read-only)	\??\u:	cjyvphab.exe
File opened (read-only)	\??\h:	cjyvphab.exe
File opened (read-only)	\??\k:	trhwfxawbv.exe
File opened (read-only)	\??\q:	trhwfxawbv.exe
File opened (read-only)	\??\y:	trhwfxawbv.exe
File opened (read-only)	\??\i:	trhwfxawbv.exe
File opened (read-only)	\??\m:	trhwfxawbv.exe
File opened (read-only)	\??\g:	cjyvphab.exe
File opened (read-only)	\??\n:	cjyvphab.exe
File opened (read-only)	\??\o:	cjyvphab.exe
File opened (read-only)	\??\f:	trhwfxawbv.exe
File opened (read-only)	\??\t:	cjyvphab.exe
File opened (read-only)	\??\l:	trhwfxawbv.exe
File opened (read-only)	\??\w:	trhwfxawbv.exe
File opened (read-only)	\??\p:	cjyvphab.exe
File opened (read-only)	\??\r:	cjyvphab.exe
File opened (read-only)	\??\a:	cjyvphab.exe
File opened (read-only)	\??\b:	trhwfxawbv.exe
File opened (read-only)	\??\r:	trhwfxawbv.exe
File opened (read-only)	\??\s:	trhwfxawbv.exe
File opened (read-only)	\??\x:	cjyvphab.exe
File opened (read-only)	\??\y:	cjyvphab.exe
File opened (read-only)	\??\i:	cjyvphab.exe
File opened (read-only)	\??\o:	cjyvphab.exe
File opened (read-only)	\??\v:	cjyvphab.exe
File opened (read-only)	\??\z:	cjyvphab.exe
File opened (read-only)	\??\h:	trhwfxawbv.exe
File opened (read-only)	\??\j:	trhwfxawbv.exe
File opened (read-only)	\??\u:	trhwfxawbv.exe
File opened (read-only)	\??\s:	cjyvphab.exe
File opened (read-only)	\??\u:	cjyvphab.exe
File opened (read-only)	\??\v:	cjyvphab.exe
File opened (read-only)	\??\x:	cjyvphab.exe
File opened (read-only)	\??\x:	trhwfxawbv.exe
File opened (read-only)	\??\v:	trhwfxawbv.exe
File opened (read-only)	\??\n:	cjyvphab.exe
File opened (read-only)	\??\s:	cjyvphab.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	trhwfxawbv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	trhwfxawbv.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/960-56-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/876-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/596-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1804-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/580-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/964-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1284-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/960-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/876-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/596-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1804-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/580-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/964-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1284-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cjyvphab.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File opened for modification	C:\Windows\SysWOW64\dqweumtibjkjt.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File created	C:\Windows\SysWOW64\trhwfxawbv.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File created	C:\Windows\SysWOW64\vozdcdifynpetqo.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File opened for modification	C:\Windows\SysWOW64\vozdcdifynpetqo.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File opened for modification	C:\Windows\SysWOW64\cjyvphab.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File created	C:\Windows\SysWOW64\dqweumtibjkjt.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	trhwfxawbv.exe
File opened for modification	C:\Windows\SysWOW64\trhwfxawbv.exe	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cjyvphab.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cjyvphab.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	cjyvphab.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	cjyvphab.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	cjyvphab.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cjyvphab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cjyvphab.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	cjyvphab.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	cjyvphab.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B6FF1822DAD208D0A28B7F9111"	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	trhwfxawbv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	trhwfxawbv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABBFE67F1E283083B4586EB3997B3FD02FA4268033CE2CA459A08A5"	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	trhwfxawbv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7A9C2182586A4377A770272DD97DF565DF"	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	trhwfxawbv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1648	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
580	cjyvphab.exe
580	cjyvphab.exe
580	cjyvphab.exe
580	cjyvphab.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
596	vozdcdifynpetqo.exe
1284	cjyvphab.exe
1284	cjyvphab.exe
1284	cjyvphab.exe
1284	cjyvphab.exe
596	vozdcdifynpetqo.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
596	vozdcdifynpetqo.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
596	vozdcdifynpetqo.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
596	vozdcdifynpetqo.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
596	vozdcdifynpetqo.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
596	vozdcdifynpetqo.exe
964	dqweumtibjkjt.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
580	cjyvphab.exe
580	cjyvphab.exe
580	cjyvphab.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1284	cjyvphab.exe
1284	cjyvphab.exe
1284	cjyvphab.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
876	trhwfxawbv.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
596	vozdcdifynpetqo.exe
580	cjyvphab.exe
580	cjyvphab.exe
580	cjyvphab.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
1804	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
964	dqweumtibjkjt.exe
1284	cjyvphab.exe
1284	cjyvphab.exe
1284	cjyvphab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	WINWORD.EXE
1648	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 876	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	28
PID 960 wrote to memory of 876	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	28
PID 960 wrote to memory of 876	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	28
PID 960 wrote to memory of 876	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	28
PID 960 wrote to memory of 596	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	29
PID 960 wrote to memory of 596	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	29
PID 960 wrote to memory of 596	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	29
PID 960 wrote to memory of 596	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	29
PID 960 wrote to memory of 580	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	30
PID 960 wrote to memory of 580	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	30
PID 960 wrote to memory of 580	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	30
PID 960 wrote to memory of 580	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	30
PID 960 wrote to memory of 1804	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	31
PID 960 wrote to memory of 1804	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	31
PID 960 wrote to memory of 1804	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	31
PID 960 wrote to memory of 1804	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	31
PID 596 wrote to memory of 840	596	vozdcdifynpetqo.exe	32
PID 596 wrote to memory of 840	596	vozdcdifynpetqo.exe	32
PID 596 wrote to memory of 840	596	vozdcdifynpetqo.exe	32
PID 596 wrote to memory of 840	596	vozdcdifynpetqo.exe	32
PID 840 wrote to memory of 964	840	cmd.exe	34
PID 840 wrote to memory of 964	840	cmd.exe	34
PID 840 wrote to memory of 964	840	cmd.exe	34
PID 840 wrote to memory of 964	840	cmd.exe	34
PID 876 wrote to memory of 1284	876	trhwfxawbv.exe	35
PID 876 wrote to memory of 1284	876	trhwfxawbv.exe	35
PID 876 wrote to memory of 1284	876	trhwfxawbv.exe	35
PID 876 wrote to memory of 1284	876	trhwfxawbv.exe	35
PID 960 wrote to memory of 1648	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	36
PID 960 wrote to memory of 1648	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	36
PID 960 wrote to memory of 1648	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	36
PID 960 wrote to memory of 1648	960	eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe	36
PID 1648 wrote to memory of 1148	1648	WINWORD.EXE	40
PID 1648 wrote to memory of 1148	1648	WINWORD.EXE	40
PID 1648 wrote to memory of 1148	1648	WINWORD.EXE	40
PID 1648 wrote to memory of 1148	1648	WINWORD.EXE	40

C:\Users\Admin\AppData\Local\Temp\eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
"C:\Users\Admin\AppData\Local\Temp\eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\trhwfxawbv.exe
  trhwfxawbv.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\cjyvphab.exe
    C:\Windows\system32\cjyvphab.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1284
- C:\Windows\SysWOW64\vozdcdifynpetqo.exe
  vozdcdifynpetqo.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c dqweumtibjkjt.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\dqweumtibjkjt.exe
      dqweumtibjkjt.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:964
- C:\Windows\SysWOW64\cjyvphab.exe
  cjyvphab.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:580
- C:\Windows\SysWOW64\dqweumtibjkjt.exe
  dqweumtibjkjt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1804
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
2aa760288e8e018d37f53f69c8e61c36

SHA1
2fe02f57e11d60fbeb724224e064272963693f14

SHA256
a8f33c4fda00f8cd44a67d62e7237908d3c29f2241c624fd8756493f115c7a9a

SHA512
d2929d8df7fc693be4a967e0f36b9474a750cae39ef11196591c9f4038716cec3e593463d73e42b7c8a751adcbc8d054ce608848a63abcafcebf2d52e6266d72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
2aa760288e8e018d37f53f69c8e61c36

SHA1
2fe02f57e11d60fbeb724224e064272963693f14

SHA256
a8f33c4fda00f8cd44a67d62e7237908d3c29f2241c624fd8756493f115c7a9a

SHA512
d2929d8df7fc693be4a967e0f36b9474a750cae39ef11196591c9f4038716cec3e593463d73e42b7c8a751adcbc8d054ce608848a63abcafcebf2d52e6266d72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
d926092c82719b70e0d273964045abb9

SHA1
266f79d4978ed79c76dce4c7df52b1f689a96f56

SHA256
72a3dde2b0d126916749208d8556cb622a0a38e87cd1b79a6b8693056a0a06e3

SHA512
ba60e2e1843eb9eb92e65022dba5d7f10b24d0fcb4599252175533ba8ba9cbf5e711f6c61765b1195b028e94656920c4771b74ea286c9d3cbc382f346051e369

Download Submit
C:\Windows\SysWOW64\cjyvphab.exe

Filesize
255KB

MD5
167b735e1b45bcc049df3098218262cb

SHA1
43bf45d1fe52904ba515a5fea8269bd3cd308e18

SHA256
b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a

SHA512
498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0

Download Submit
C:\Windows\SysWOW64\cjyvphab.exe

Filesize
255KB

MD5
167b735e1b45bcc049df3098218262cb

SHA1
43bf45d1fe52904ba515a5fea8269bd3cd308e18

SHA256
b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a

SHA512
498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0

Download Submit
C:\Windows\SysWOW64\cjyvphab.exe

Filesize
255KB

MD5
167b735e1b45bcc049df3098218262cb

SHA1
43bf45d1fe52904ba515a5fea8269bd3cd308e18

SHA256
b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a

SHA512
498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0

Download Submit
C:\Windows\SysWOW64\dqweumtibjkjt.exe

Filesize
255KB

MD5
0f8d703fa2a1f1fed255438095bb8de5

SHA1
6ef9f0fe1804654530f7b3b3e0d6407c6ed48092

SHA256
5f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981

SHA512
1d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6

Download Submit
C:\Windows\SysWOW64\dqweumtibjkjt.exe

Filesize
255KB

MD5
0f8d703fa2a1f1fed255438095bb8de5

SHA1
6ef9f0fe1804654530f7b3b3e0d6407c6ed48092

SHA256
5f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981

SHA512
1d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6

Download Submit
C:\Windows\SysWOW64\dqweumtibjkjt.exe

Filesize
255KB

MD5
0f8d703fa2a1f1fed255438095bb8de5

SHA1
6ef9f0fe1804654530f7b3b3e0d6407c6ed48092

SHA256
5f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981

SHA512
1d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6

Download Submit
C:\Windows\SysWOW64\trhwfxawbv.exe

Filesize
255KB

MD5
d3d5c901c498b81487597a27236e3be4

SHA1
91fd9a57a88e9b1687d06f8c6b0a8f5963c9c97b

SHA256
850164962ec7ac3263fc2d01f957f5d527e5c3d43a0e52babf781f96fc1288c5

SHA512
a848679d64d8cedc55fbbd4a942c18e1151132671459d39b5922a27c630d3011a95d2aa57b9ef8b60f06809c40f983f5df4db7cfe09b3ac2f0ec07eb6531725e

Download Submit
C:\Windows\SysWOW64\trhwfxawbv.exe

Filesize
255KB

MD5
d3d5c901c498b81487597a27236e3be4

SHA1
91fd9a57a88e9b1687d06f8c6b0a8f5963c9c97b

SHA256
850164962ec7ac3263fc2d01f957f5d527e5c3d43a0e52babf781f96fc1288c5

SHA512
a848679d64d8cedc55fbbd4a942c18e1151132671459d39b5922a27c630d3011a95d2aa57b9ef8b60f06809c40f983f5df4db7cfe09b3ac2f0ec07eb6531725e

Download Submit
C:\Windows\SysWOW64\vozdcdifynpetqo.exe

Filesize
255KB

MD5
0a2befbff90d167ccf2159b4f124f62a

SHA1
e206b671a975a609cd4d540f31dfc18dc528ddac

SHA256
18247e1999fe5e4034109618de89bb3def33d6e8930cf27d08268c04aa8dd8e1

SHA512
22a477acbf61119eb3f740aaf620570e7a789d7114e3a28683fffb68086e9337ab926bca36a28eccd0c83400482342ab13a36388fc1f161053fb350655d5acc5

Download Submit
C:\Windows\SysWOW64\vozdcdifynpetqo.exe

Filesize
255KB

MD5
0a2befbff90d167ccf2159b4f124f62a

SHA1
e206b671a975a609cd4d540f31dfc18dc528ddac

SHA256
18247e1999fe5e4034109618de89bb3def33d6e8930cf27d08268c04aa8dd8e1

SHA512
22a477acbf61119eb3f740aaf620570e7a789d7114e3a28683fffb68086e9337ab926bca36a28eccd0c83400482342ab13a36388fc1f161053fb350655d5acc5

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\cjyvphab.exe

Filesize
255KB

MD5
167b735e1b45bcc049df3098218262cb

SHA1
43bf45d1fe52904ba515a5fea8269bd3cd308e18

SHA256
b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a

SHA512
498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0

Download Submit
\Windows\SysWOW64\cjyvphab.exe

Filesize
255KB

MD5
167b735e1b45bcc049df3098218262cb

SHA1
43bf45d1fe52904ba515a5fea8269bd3cd308e18

SHA256
b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a

SHA512
498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0

Download Submit
\Windows\SysWOW64\dqweumtibjkjt.exe

Filesize
255KB

MD5
0f8d703fa2a1f1fed255438095bb8de5

SHA1
6ef9f0fe1804654530f7b3b3e0d6407c6ed48092

SHA256
5f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981

SHA512
1d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6

Download Submit
\Windows\SysWOW64\dqweumtibjkjt.exe

Filesize
255KB

MD5
0f8d703fa2a1f1fed255438095bb8de5

SHA1
6ef9f0fe1804654530f7b3b3e0d6407c6ed48092

SHA256
5f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981

SHA512
1d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6

Download Submit
\Windows\SysWOW64\trhwfxawbv.exe

Filesize
255KB

MD5
d3d5c901c498b81487597a27236e3be4

SHA1
91fd9a57a88e9b1687d06f8c6b0a8f5963c9c97b

SHA256
850164962ec7ac3263fc2d01f957f5d527e5c3d43a0e52babf781f96fc1288c5

SHA512
a848679d64d8cedc55fbbd4a942c18e1151132671459d39b5922a27c630d3011a95d2aa57b9ef8b60f06809c40f983f5df4db7cfe09b3ac2f0ec07eb6531725e

Download Submit
\Windows\SysWOW64\vozdcdifynpetqo.exe

Filesize
255KB

MD5
0a2befbff90d167ccf2159b4f124f62a

SHA1
e206b671a975a609cd4d540f31dfc18dc528ddac

SHA256
18247e1999fe5e4034109618de89bb3def33d6e8930cf27d08268c04aa8dd8e1

SHA512
22a477acbf61119eb3f740aaf620570e7a789d7114e3a28683fffb68086e9337ab926bca36a28eccd0c83400482342ab13a36388fc1f161053fb350655d5acc5

Download Submit
memory/580-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/580-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/876-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/876-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/960-83-0x0000000002FB0000-0x0000000003050000-memory.dmp

Filesize
640KB

Download
memory/960-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/960-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/960-55-0x00000000753D1000-0x00000000753D3000-memory.dmp

Filesize
8KB

Download
memory/960-54-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/964-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/964-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1148-109-0x000007FEFBBA1000-0x000007FEFBBA3000-memory.dmp

Filesize
8KB

Download
memory/1284-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1284-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1648-100-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/1648-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1648-96-0x0000000070111000-0x0000000070113000-memory.dmp

Filesize
8KB

Download
memory/1648-107-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/1648-95-0x0000000072691000-0x0000000072694000-memory.dmp

Filesize
12KB

Download
memory/1804-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1804-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download