c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb

Analysis

max time kernel
151s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
Size

255KB
MD5

bbbb3a7f37cfdf3af1a185a9cff0c9e9
SHA1

24ecfeff06eb06fe4532a1239e3410b55ad09c1d
SHA256

c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb
SHA512

18b24947405bb57c103d1c4aaf2ce89f7f45f4ff1317b989437956dd419cdad9f7a7a080130d1bd324856765834f8ffa3e4421b8ddabf2de601693ecbf3ae46b
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJx:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIC

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dnxcezixeo.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dnxcezixeo.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dnxcezixeo.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dnxcezixeo.exe

Executes dropped EXE 5 IoCs

pid	Process
1316	dnxcezixeo.exe
1160	upurmrdvoximpfj.exe
580	axiafmsi.exe
1696	lxmtnjfnpfkaa.exe
692	axiafmsi.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1748-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000a000000012738-56.dat	upx
behavioral1/files/0x000a000000012738-58.dat	upx
behavioral1/files/0x000a000000012738-60.dat	upx
behavioral1/files/0x0009000000013152-61.dat	upx
behavioral1/files/0x00080000000133e5-65.dat	upx
behavioral1/files/0x0009000000013152-63.dat	upx
behavioral1/files/0x00080000000133e5-67.dat	upx
behavioral1/files/0x0009000000013152-68.dat	upx
behavioral1/files/0x00070000000133ea-70.dat	upx
behavioral1/files/0x00070000000133ea-72.dat	upx
behavioral1/files/0x00080000000133e5-74.dat	upx
behavioral1/files/0x00070000000133ea-75.dat	upx
behavioral1/files/0x00080000000133e5-76.dat	upx
behavioral1/files/0x00080000000133e5-78.dat	upx
behavioral1/memory/1316-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1160-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/580-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1696-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/692-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1748-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1316-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1160-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/580-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1696-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/692-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00060000000142ee-105.dat	upx
behavioral1/files/0x0006000000014371-106.dat	upx
behavioral1/files/0x0006000000014496-107.dat	upx
behavioral1/files/0x0006000000014496-109.dat	upx
behavioral1/files/0x0006000000014496-108.dat	upx
behavioral1/files/0x000600000001449c-110.dat	upx
behavioral1/files/0x00060000000144a4-111.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1316	dnxcezixeo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dnxcezixeo.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	upurmrdvoximpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\crbgwmxe = "dnxcezixeo.exe"	upurmrdvoximpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oognnqzb = "upurmrdvoximpfj.exe"	upurmrdvoximpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lxmtnjfnpfkaa.exe"	upurmrdvoximpfj.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	axiafmsi.exe
File opened (read-only)	\??\y:	axiafmsi.exe
File opened (read-only)	\??\l:	dnxcezixeo.exe
File opened (read-only)	\??\n:	dnxcezixeo.exe
File opened (read-only)	\??\u:	axiafmsi.exe
File opened (read-only)	\??\w:	axiafmsi.exe
File opened (read-only)	\??\h:	axiafmsi.exe
File opened (read-only)	\??\l:	axiafmsi.exe
File opened (read-only)	\??\q:	axiafmsi.exe
File opened (read-only)	\??\i:	axiafmsi.exe
File opened (read-only)	\??\v:	axiafmsi.exe
File opened (read-only)	\??\r:	axiafmsi.exe
File opened (read-only)	\??\i:	dnxcezixeo.exe
File opened (read-only)	\??\s:	axiafmsi.exe
File opened (read-only)	\??\b:	axiafmsi.exe
File opened (read-only)	\??\m:	axiafmsi.exe
File opened (read-only)	\??\f:	axiafmsi.exe
File opened (read-only)	\??\k:	axiafmsi.exe
File opened (read-only)	\??\o:	axiafmsi.exe
File opened (read-only)	\??\q:	axiafmsi.exe
File opened (read-only)	\??\t:	dnxcezixeo.exe
File opened (read-only)	\??\r:	dnxcezixeo.exe
File opened (read-only)	\??\v:	dnxcezixeo.exe
File opened (read-only)	\??\w:	dnxcezixeo.exe
File opened (read-only)	\??\y:	dnxcezixeo.exe
File opened (read-only)	\??\g:	axiafmsi.exe
File opened (read-only)	\??\n:	axiafmsi.exe
File opened (read-only)	\??\k:	dnxcezixeo.exe
File opened (read-only)	\??\m:	dnxcezixeo.exe
File opened (read-only)	\??\o:	dnxcezixeo.exe
File opened (read-only)	\??\s:	dnxcezixeo.exe
File opened (read-only)	\??\f:	axiafmsi.exe
File opened (read-only)	\??\f:	dnxcezixeo.exe
File opened (read-only)	\??\b:	dnxcezixeo.exe
File opened (read-only)	\??\v:	axiafmsi.exe
File opened (read-only)	\??\q:	dnxcezixeo.exe
File opened (read-only)	\??\x:	axiafmsi.exe
File opened (read-only)	\??\h:	axiafmsi.exe
File opened (read-only)	\??\p:	axiafmsi.exe
File opened (read-only)	\??\b:	axiafmsi.exe
File opened (read-only)	\??\w:	axiafmsi.exe
File opened (read-only)	\??\z:	axiafmsi.exe
File opened (read-only)	\??\e:	dnxcezixeo.exe
File opened (read-only)	\??\j:	axiafmsi.exe
File opened (read-only)	\??\p:	axiafmsi.exe
File opened (read-only)	\??\e:	axiafmsi.exe
File opened (read-only)	\??\e:	axiafmsi.exe
File opened (read-only)	\??\p:	dnxcezixeo.exe
File opened (read-only)	\??\i:	axiafmsi.exe
File opened (read-only)	\??\s:	axiafmsi.exe
File opened (read-only)	\??\t:	axiafmsi.exe
File opened (read-only)	\??\u:	axiafmsi.exe
File opened (read-only)	\??\a:	dnxcezixeo.exe
File opened (read-only)	\??\j:	dnxcezixeo.exe
File opened (read-only)	\??\k:	axiafmsi.exe
File opened (read-only)	\??\n:	axiafmsi.exe
File opened (read-only)	\??\j:	axiafmsi.exe
File opened (read-only)	\??\o:	axiafmsi.exe
File opened (read-only)	\??\x:	axiafmsi.exe
File opened (read-only)	\??\a:	axiafmsi.exe
File opened (read-only)	\??\a:	axiafmsi.exe
File opened (read-only)	\??\g:	axiafmsi.exe
File opened (read-only)	\??\m:	axiafmsi.exe
File opened (read-only)	\??\y:	axiafmsi.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	dnxcezixeo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	dnxcezixeo.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1748-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1748-80-0x0000000002F00000-0x0000000002FA0000-memory.dmp	autoit_exe
behavioral1/memory/1316-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1160-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/580-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1748-85-0x0000000002F00000-0x0000000002FA0000-memory.dmp	autoit_exe
behavioral1/memory/1696-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/692-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1748-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1316-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1160-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/580-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1696-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/692-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	dnxcezixeo.exe
File created	C:\Windows\SysWOW64\dnxcezixeo.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File created	C:\Windows\SysWOW64\upurmrdvoximpfj.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File opened for modification	C:\Windows\SysWOW64\upurmrdvoximpfj.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File opened for modification	C:\Windows\SysWOW64\lxmtnjfnpfkaa.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File opened for modification	C:\Windows\SysWOW64\dnxcezixeo.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File created	C:\Windows\SysWOW64\axiafmsi.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File opened for modification	C:\Windows\SysWOW64\axiafmsi.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File created	C:\Windows\SysWOW64\lxmtnjfnpfkaa.exe	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	axiafmsi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	axiafmsi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	axiafmsi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	axiafmsi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	axiafmsi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	axiafmsi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	axiafmsi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	axiafmsi.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	dnxcezixeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	dnxcezixeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	dnxcezixeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB05B47E739E353C8BAA633EFD7CF"	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFC8F482D826E9136D72D7D93BDE3E63259416735633FD7EC"	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	dnxcezixeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	dnxcezixeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	dnxcezixeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	dnxcezixeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
112	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
580	axiafmsi.exe
580	axiafmsi.exe
580	axiafmsi.exe
580	axiafmsi.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
692	axiafmsi.exe
692	axiafmsi.exe
692	axiafmsi.exe
692	axiafmsi.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1160	upurmrdvoximpfj.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
580	axiafmsi.exe
580	axiafmsi.exe
580	axiafmsi.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
692	axiafmsi.exe
692	axiafmsi.exe
692	axiafmsi.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1316	dnxcezixeo.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
1160	upurmrdvoximpfj.exe
580	axiafmsi.exe
580	axiafmsi.exe
580	axiafmsi.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
1696	lxmtnjfnpfkaa.exe
692	axiafmsi.exe
692	axiafmsi.exe
692	axiafmsi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
112	WINWORD.EXE
112	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1316	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	28
PID 1748 wrote to memory of 1316	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	28
PID 1748 wrote to memory of 1316	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	28
PID 1748 wrote to memory of 1316	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	28
PID 1748 wrote to memory of 1160	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	29
PID 1748 wrote to memory of 1160	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	29
PID 1748 wrote to memory of 1160	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	29
PID 1748 wrote to memory of 1160	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	29
PID 1748 wrote to memory of 580	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	30
PID 1748 wrote to memory of 580	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	30
PID 1748 wrote to memory of 580	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	30
PID 1748 wrote to memory of 580	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	30
PID 1748 wrote to memory of 1696	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	31
PID 1748 wrote to memory of 1696	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	31
PID 1748 wrote to memory of 1696	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	31
PID 1748 wrote to memory of 1696	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	31
PID 1316 wrote to memory of 692	1316	dnxcezixeo.exe	32
PID 1316 wrote to memory of 692	1316	dnxcezixeo.exe	32
PID 1316 wrote to memory of 692	1316	dnxcezixeo.exe	32
PID 1316 wrote to memory of 692	1316	dnxcezixeo.exe	32
PID 1748 wrote to memory of 112	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	33
PID 1748 wrote to memory of 112	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	33
PID 1748 wrote to memory of 112	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	33
PID 1748 wrote to memory of 112	1748	c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe	33
PID 112 wrote to memory of 2028	112	WINWORD.EXE	37
PID 112 wrote to memory of 2028	112	WINWORD.EXE	37
PID 112 wrote to memory of 2028	112	WINWORD.EXE	37
PID 112 wrote to memory of 2028	112	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe
"C:\Users\Admin\AppData\Local\Temp\c9f78152e95b3ed08dca5b11433d527fb82159a928fac5562b64b95c8fad97fb.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\SysWOW64\dnxcezixeo.exe
  dnxcezixeo.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\axiafmsi.exe
    C:\Windows\system32\axiafmsi.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:692
- C:\Windows\SysWOW64\upurmrdvoximpfj.exe
  upurmrdvoximpfj.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1160
- C:\Windows\SysWOW64\axiafmsi.exe
  axiafmsi.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:580
- C:\Windows\SysWOW64\lxmtnjfnpfkaa.exe
  lxmtnjfnpfkaa.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1696
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
44ffd720cbb2208d1dc0376b623a703c

SHA1
4307add7b21ed9402c126a644f4cd5d2a6405a4e

SHA256
fe5c1fed1d7723199b548c6cc073679fb94d082e8a7c86046dcd213b23dad718

SHA512
f7f8d5c7453545f123acad43bccac91cd59ae55da79ea2f5698cb441d54004aec26c39cda19b5f9707618322328a4a7991179b01f980cb3615bd4270320f6f9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
076c3c5d09793ce902cbc9967ac79263

SHA1
d6ced7f3f228307e6b492866983fe982abd8ddd5

SHA256
39bf6c8eeec7d51cd75629f8f0f54a94e9f2042389dc0e0b2083ae0e559a7a7b

SHA512
db57fd419aa187de4e1f4728bfce0e18ebeb6686f8e73253f27e3e2297501b2a685305f5ef5112b88a472b2673039a757833e294db24a39fe7f387e9fe225ac5

Download Submit
C:\Users\Admin\Documents\ExitRevoke.doc.exe

Filesize
255KB

MD5
111ebd29334e171cdd15168db3a786be

SHA1
435e7669efe35547483f8be261c7450c9745e84b

SHA256
ac32051a53abd2292f2fe3050252a8790095abd4c506cdff2194cb1c05638b5e

SHA512
e40565b8585e839fbcb3efb3fbbd8a4de46a1e0b4c6b339b2848b9ac859bd8c65308b8275122e55005aa6d4c26c54f05945f564e87efe9961803c18fd9d9d256

Download Submit
C:\Users\Admin\Documents\ExitRevoke.doc.exe

Filesize
255KB

MD5
111ebd29334e171cdd15168db3a786be

SHA1
435e7669efe35547483f8be261c7450c9745e84b

SHA256
ac32051a53abd2292f2fe3050252a8790095abd4c506cdff2194cb1c05638b5e

SHA512
e40565b8585e839fbcb3efb3fbbd8a4de46a1e0b4c6b339b2848b9ac859bd8c65308b8275122e55005aa6d4c26c54f05945f564e87efe9961803c18fd9d9d256

Download Submit
C:\Users\Admin\Documents\SplitUnpublish.doc.exe

Filesize
255KB

MD5
793c85049dd4d185906909e2a044b457

SHA1
84df8e392ce403f616411d15683d597f2c2bc335

SHA256
ff14a093640acb4faaefe3f02fd07d263db15cf98c46a5fa13620df57c8d3217

SHA512
90fbb3476f56845eadb28d81d6ed788ed953d78abd886b7368f3dad7cafc8c7f921da5c59923a372b3658267cec63e6dcb8a532fb5b203cb15b8401663ea98af

Download Submit
C:\Users\Admin\Downloads\EnableWrite.doc.exe

Filesize
255KB

MD5
692e164ad034cc277f1cb79f26057215

SHA1
e4e716c2c9c8810d7e9d7a478fd976513cc113b2

SHA256
66ae31de1fc8075cc4b4f5170a7ccdae62e344f4770647a82cbe7bdf2e020655

SHA512
f3d671d5d7ff2c8957659b5fbb3cfa6124a32e9f3dece3fd0bf2108c09320c826d360426e994934c51a30c0e1b514db3eab41e613817c50b3543ed7343370c6a

Download Submit
C:\Windows\SysWOW64\axiafmsi.exe

Filesize
255KB

MD5
0346e29dfe06a593a418b1a89124832e

SHA1
64beb0a9d7735b6b6bceb1edb1c189fef0e43716

SHA256
ea721f0dab756d964a7ef9ec2d749fbbdb8545b5ec17bf616fef4270c42d2c4e

SHA512
d2d1668873ca5e33496e6aa0240622a66c98fd422d74c8afa5a3a36bc0f3ec2ba6d368d3679ee2eb4986d3b9f385e4344efd3ca4f43a40a4277f77a46a37b5d1

Download Submit
C:\Windows\SysWOW64\axiafmsi.exe

Filesize
255KB

MD5
0346e29dfe06a593a418b1a89124832e

SHA1
64beb0a9d7735b6b6bceb1edb1c189fef0e43716

SHA256
ea721f0dab756d964a7ef9ec2d749fbbdb8545b5ec17bf616fef4270c42d2c4e

SHA512
d2d1668873ca5e33496e6aa0240622a66c98fd422d74c8afa5a3a36bc0f3ec2ba6d368d3679ee2eb4986d3b9f385e4344efd3ca4f43a40a4277f77a46a37b5d1

Download Submit
C:\Windows\SysWOW64\axiafmsi.exe

Filesize
255KB

MD5
0346e29dfe06a593a418b1a89124832e

SHA1
64beb0a9d7735b6b6bceb1edb1c189fef0e43716

SHA256
ea721f0dab756d964a7ef9ec2d749fbbdb8545b5ec17bf616fef4270c42d2c4e

SHA512
d2d1668873ca5e33496e6aa0240622a66c98fd422d74c8afa5a3a36bc0f3ec2ba6d368d3679ee2eb4986d3b9f385e4344efd3ca4f43a40a4277f77a46a37b5d1

Download Submit
C:\Windows\SysWOW64\dnxcezixeo.exe

Filesize
255KB

MD5
aca355a44cab22da067fd7d3d46a9e25

SHA1
e4120d39df7d5e3d1fcf45eb10a6d0ec63fce231

SHA256
9e13726e23bc56f73e651bce36dafd79e24c0889ed4eab2e759b1ffb4c77e84e

SHA512
99192b381684c3aaf9e9219907d67314844853098d64ebd4f8352197527ef60057a16141122bf0d3bf1097c35dc02d34ee6a2a0411af04cf59b89f2c1dc175e6

Download Submit
C:\Windows\SysWOW64\dnxcezixeo.exe

Filesize
255KB

MD5
aca355a44cab22da067fd7d3d46a9e25

SHA1
e4120d39df7d5e3d1fcf45eb10a6d0ec63fce231

SHA256
9e13726e23bc56f73e651bce36dafd79e24c0889ed4eab2e759b1ffb4c77e84e

SHA512
99192b381684c3aaf9e9219907d67314844853098d64ebd4f8352197527ef60057a16141122bf0d3bf1097c35dc02d34ee6a2a0411af04cf59b89f2c1dc175e6

Download Submit
C:\Windows\SysWOW64\lxmtnjfnpfkaa.exe

Filesize
255KB

MD5
84e978ee03e450515c346fd7a73a77b4

SHA1
4761e808c73edcfcbf0ea55d57037d20ad928880

SHA256
56fa7009bd5fe865c7887f89efaa9f278b6f5437020c49623c0fbb4f2602bab1

SHA512
a5f3cd5efe4940655afebbaf376409c1352202c22337f12280a3c260fde87d0b8d7c228fe41dc8260e3e38c8b9ca76d9fc473a20e2b26fc53fc0a035c3ade57f

Download Submit
C:\Windows\SysWOW64\lxmtnjfnpfkaa.exe

Filesize
255KB

MD5
84e978ee03e450515c346fd7a73a77b4

SHA1
4761e808c73edcfcbf0ea55d57037d20ad928880

SHA256
56fa7009bd5fe865c7887f89efaa9f278b6f5437020c49623c0fbb4f2602bab1

SHA512
a5f3cd5efe4940655afebbaf376409c1352202c22337f12280a3c260fde87d0b8d7c228fe41dc8260e3e38c8b9ca76d9fc473a20e2b26fc53fc0a035c3ade57f

Download Submit
C:\Windows\SysWOW64\upurmrdvoximpfj.exe

Filesize
255KB

MD5
2e91cce726c660af38ed82a91f65fbb7

SHA1
ae78ecfaebdfcae46ffbae773256370709927baf

SHA256
87eeed9e3590abf6d2e45303fdcdd1f967169365d564a80a5a39b9689e06299a

SHA512
40c8008b3cc24564d0e3801cd894d16814c1bcd6069a1708dd8ec78339cb5d28ceb173265f9e8ef9a647e1658674fa0088ab17d4418ddad9b954c3dab7857f88

Download Submit
C:\Windows\SysWOW64\upurmrdvoximpfj.exe

Filesize
255KB

MD5
2e91cce726c660af38ed82a91f65fbb7

SHA1
ae78ecfaebdfcae46ffbae773256370709927baf

SHA256
87eeed9e3590abf6d2e45303fdcdd1f967169365d564a80a5a39b9689e06299a

SHA512
40c8008b3cc24564d0e3801cd894d16814c1bcd6069a1708dd8ec78339cb5d28ceb173265f9e8ef9a647e1658674fa0088ab17d4418ddad9b954c3dab7857f88

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Users\Admin\Documents\ExitRevoke.doc.exe

Filesize
255KB

MD5
111ebd29334e171cdd15168db3a786be

SHA1
435e7669efe35547483f8be261c7450c9745e84b

SHA256
ac32051a53abd2292f2fe3050252a8790095abd4c506cdff2194cb1c05638b5e

SHA512
e40565b8585e839fbcb3efb3fbbd8a4de46a1e0b4c6b339b2848b9ac859bd8c65308b8275122e55005aa6d4c26c54f05945f564e87efe9961803c18fd9d9d256

Download Submit
\Windows\SysWOW64\axiafmsi.exe

Filesize
255KB

MD5
0346e29dfe06a593a418b1a89124832e

SHA1
64beb0a9d7735b6b6bceb1edb1c189fef0e43716

SHA256
ea721f0dab756d964a7ef9ec2d749fbbdb8545b5ec17bf616fef4270c42d2c4e

SHA512
d2d1668873ca5e33496e6aa0240622a66c98fd422d74c8afa5a3a36bc0f3ec2ba6d368d3679ee2eb4986d3b9f385e4344efd3ca4f43a40a4277f77a46a37b5d1

Download Submit
\Windows\SysWOW64\axiafmsi.exe

Filesize
255KB

MD5
0346e29dfe06a593a418b1a89124832e

SHA1
64beb0a9d7735b6b6bceb1edb1c189fef0e43716

SHA256
ea721f0dab756d964a7ef9ec2d749fbbdb8545b5ec17bf616fef4270c42d2c4e

SHA512
d2d1668873ca5e33496e6aa0240622a66c98fd422d74c8afa5a3a36bc0f3ec2ba6d368d3679ee2eb4986d3b9f385e4344efd3ca4f43a40a4277f77a46a37b5d1

Download Submit
\Windows\SysWOW64\dnxcezixeo.exe

Filesize
255KB

MD5
aca355a44cab22da067fd7d3d46a9e25

SHA1
e4120d39df7d5e3d1fcf45eb10a6d0ec63fce231

SHA256
9e13726e23bc56f73e651bce36dafd79e24c0889ed4eab2e759b1ffb4c77e84e

SHA512
99192b381684c3aaf9e9219907d67314844853098d64ebd4f8352197527ef60057a16141122bf0d3bf1097c35dc02d34ee6a2a0411af04cf59b89f2c1dc175e6

Download Submit
\Windows\SysWOW64\lxmtnjfnpfkaa.exe

Filesize
255KB

MD5
84e978ee03e450515c346fd7a73a77b4

SHA1
4761e808c73edcfcbf0ea55d57037d20ad928880

SHA256
56fa7009bd5fe865c7887f89efaa9f278b6f5437020c49623c0fbb4f2602bab1

SHA512
a5f3cd5efe4940655afebbaf376409c1352202c22337f12280a3c260fde87d0b8d7c228fe41dc8260e3e38c8b9ca76d9fc473a20e2b26fc53fc0a035c3ade57f

Download Submit
\Windows\SysWOW64\upurmrdvoximpfj.exe

Filesize
255KB

MD5
2e91cce726c660af38ed82a91f65fbb7

SHA1
ae78ecfaebdfcae46ffbae773256370709927baf

SHA256
87eeed9e3590abf6d2e45303fdcdd1f967169365d564a80a5a39b9689e06299a

SHA512
40c8008b3cc24564d0e3801cd894d16814c1bcd6069a1708dd8ec78339cb5d28ceb173265f9e8ef9a647e1658674fa0088ab17d4418ddad9b954c3dab7857f88

Download Submit
memory/112-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/112-113-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download
memory/112-102-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download
memory/112-94-0x00000000711FD000-0x0000000071208000-memory.dmp

Filesize
44KB

Download
memory/112-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/112-91-0x0000000070211000-0x0000000070213000-memory.dmp

Filesize
8KB

Download
memory/112-90-0x0000000072791000-0x0000000072794000-memory.dmp

Filesize
12KB

Download
memory/580-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/580-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/692-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/692-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1160-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1160-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1316-100-0x0000000002530000-0x00000000025D0000-memory.dmp

Filesize
640KB

Download
memory/1316-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1316-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1696-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1696-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1748-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1748-54-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1748-85-0x0000000002F00000-0x0000000002FA0000-memory.dmp

Filesize
640KB

Download
memory/1748-82-0x0000000002F00000-0x0000000002FA0000-memory.dmp

Filesize
640KB

Download
memory/1748-80-0x0000000002F00000-0x0000000002FA0000-memory.dmp

Filesize
640KB

Download
memory/1748-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2028-104-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download