c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92

Analysis

max time kernel
152s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
Size

255KB
MD5

c2e8789e3210945b0c53e5ba044a0b5f
SHA1

96d451bbfc475937bd9a57f969eb1c6fb25003c7
SHA256

c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92
SHA512

c392fc4280273d1276d18459b9b58a0280d90db17b9cd5a00eacc017c1ff8647af1b4401538cba76d2b15f35a636d43fa89dd1d4126460507e301bfdd9cee3b4
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJZ:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIE

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wcmvzeodlb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wcmvzeodlb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wcmvzeodlb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wcmvzeodlb.exe

Executes dropped EXE 5 IoCs

pid	Process
596	wcmvzeodlb.exe
1908	rycrfkdjikkbpfd.exe
572	zprvhnzj.exe
1288	dfthhmmwxcgfe.exe
284	zprvhnzj.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122ea-55.dat	upx
behavioral1/files/0x000b0000000122ea-57.dat	upx
behavioral1/files/0x000b0000000122ea-59.dat	upx
behavioral1/files/0x000a0000000122ed-60.dat	upx
behavioral1/files/0x000a0000000122ed-62.dat	upx
behavioral1/files/0x00090000000122f2-64.dat	upx
behavioral1/files/0x000a0000000122ed-65.dat	upx
behavioral1/files/0x00090000000122f2-67.dat	upx
behavioral1/files/0x00080000000122f4-69.dat	upx
behavioral1/files/0x00080000000122f4-71.dat	upx
behavioral1/files/0x00080000000122f4-73.dat	upx
behavioral1/memory/2016-74-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/596-76-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1908-77-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1288-79-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00090000000122f2-81.dat	upx
behavioral1/files/0x00090000000122f2-80.dat	upx
behavioral1/memory/572-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00090000000122f2-83.dat	upx
behavioral1/memory/2016-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/284-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1288-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/596-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1908-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/572-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/284-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000700000001270c-102.dat	upx
behavioral1/files/0x0007000000012722-103.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
596	wcmvzeodlb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wcmvzeodlb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	rycrfkdjikkbpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zbbxjuce = "wcmvzeodlb.exe"	rycrfkdjikkbpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ngsswtoq = "rycrfkdjikkbpfd.exe"	rycrfkdjikkbpfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dfthhmmwxcgfe.exe"	rycrfkdjikkbpfd.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	zprvhnzj.exe
File opened (read-only)	\??\g:	zprvhnzj.exe
File opened (read-only)	\??\v:	wcmvzeodlb.exe
File opened (read-only)	\??\w:	wcmvzeodlb.exe
File opened (read-only)	\??\z:	wcmvzeodlb.exe
File opened (read-only)	\??\j:	zprvhnzj.exe
File opened (read-only)	\??\m:	zprvhnzj.exe
File opened (read-only)	\??\t:	zprvhnzj.exe
File opened (read-only)	\??\p:	zprvhnzj.exe
File opened (read-only)	\??\q:	wcmvzeodlb.exe
File opened (read-only)	\??\b:	zprvhnzj.exe
File opened (read-only)	\??\g:	zprvhnzj.exe
File opened (read-only)	\??\w:	zprvhnzj.exe
File opened (read-only)	\??\n:	zprvhnzj.exe
File opened (read-only)	\??\q:	zprvhnzj.exe
File opened (read-only)	\??\f:	wcmvzeodlb.exe
File opened (read-only)	\??\g:	wcmvzeodlb.exe
File opened (read-only)	\??\s:	zprvhnzj.exe
File opened (read-only)	\??\b:	zprvhnzj.exe
File opened (read-only)	\??\u:	zprvhnzj.exe
File opened (read-only)	\??\y:	zprvhnzj.exe
File opened (read-only)	\??\n:	wcmvzeodlb.exe
File opened (read-only)	\??\s:	wcmvzeodlb.exe
File opened (read-only)	\??\x:	zprvhnzj.exe
File opened (read-only)	\??\z:	zprvhnzj.exe
File opened (read-only)	\??\m:	zprvhnzj.exe
File opened (read-only)	\??\o:	zprvhnzj.exe
File opened (read-only)	\??\p:	zprvhnzj.exe
File opened (read-only)	\??\q:	zprvhnzj.exe
File opened (read-only)	\??\m:	wcmvzeodlb.exe
File opened (read-only)	\??\e:	zprvhnzj.exe
File opened (read-only)	\??\f:	zprvhnzj.exe
File opened (read-only)	\??\k:	zprvhnzj.exe
File opened (read-only)	\??\w:	zprvhnzj.exe
File opened (read-only)	\??\o:	wcmvzeodlb.exe
File opened (read-only)	\??\r:	zprvhnzj.exe
File opened (read-only)	\??\j:	zprvhnzj.exe
File opened (read-only)	\??\r:	wcmvzeodlb.exe
File opened (read-only)	\??\u:	zprvhnzj.exe
File opened (read-only)	\??\y:	zprvhnzj.exe
File opened (read-only)	\??\s:	zprvhnzj.exe
File opened (read-only)	\??\t:	wcmvzeodlb.exe
File opened (read-only)	\??\n:	zprvhnzj.exe
File opened (read-only)	\??\z:	zprvhnzj.exe
File opened (read-only)	\??\i:	zprvhnzj.exe
File opened (read-only)	\??\e:	zprvhnzj.exe
File opened (read-only)	\??\h:	zprvhnzj.exe
File opened (read-only)	\??\l:	zprvhnzj.exe
File opened (read-only)	\??\t:	zprvhnzj.exe
File opened (read-only)	\??\v:	zprvhnzj.exe
File opened (read-only)	\??\k:	wcmvzeodlb.exe
File opened (read-only)	\??\h:	zprvhnzj.exe
File opened (read-only)	\??\o:	zprvhnzj.exe
File opened (read-only)	\??\x:	zprvhnzj.exe
File opened (read-only)	\??\h:	wcmvzeodlb.exe
File opened (read-only)	\??\f:	zprvhnzj.exe
File opened (read-only)	\??\k:	zprvhnzj.exe
File opened (read-only)	\??\i:	zprvhnzj.exe
File opened (read-only)	\??\b:	wcmvzeodlb.exe
File opened (read-only)	\??\e:	wcmvzeodlb.exe
File opened (read-only)	\??\i:	wcmvzeodlb.exe
File opened (read-only)	\??\l:	wcmvzeodlb.exe
File opened (read-only)	\??\a:	zprvhnzj.exe
File opened (read-only)	\??\r:	zprvhnzj.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	wcmvzeodlb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	wcmvzeodlb.exe

AutoIT Executable 11 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2016-74-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/596-76-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1908-77-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1288-79-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2016-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/284-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1288-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/596-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1908-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/572-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/284-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dfthhmmwxcgfe.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File opened for modification	C:\Windows\SysWOW64\dfthhmmwxcgfe.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	wcmvzeodlb.exe
File created	C:\Windows\SysWOW64\wcmvzeodlb.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File created	C:\Windows\SysWOW64\rycrfkdjikkbpfd.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File opened for modification	C:\Windows\SysWOW64\zprvhnzj.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File opened for modification	C:\Windows\SysWOW64\wcmvzeodlb.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File opened for modification	C:\Windows\SysWOW64\rycrfkdjikkbpfd.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File created	C:\Windows\SysWOW64\zprvhnzj.exe	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zprvhnzj.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zprvhnzj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zprvhnzj.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zprvhnzj.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zprvhnzj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zprvhnzj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zprvhnzj.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zprvhnzj.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32442C7B9C2482596D3676D570522CDA7D8264DB"	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	wcmvzeodlb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	wcmvzeodlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	wcmvzeodlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC1B02A4497389D53BDBADC339FD7CC"	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC60F14E1DBC3B9BA7FE0ED9137C8"	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1916	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
1908	rycrfkdjikkbpfd.exe
572	zprvhnzj.exe
572	zprvhnzj.exe
572	zprvhnzj.exe
572	zprvhnzj.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
572	zprvhnzj.exe
572	zprvhnzj.exe
572	zprvhnzj.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
596	wcmvzeodlb.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1908	rycrfkdjikkbpfd.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
1288	dfthhmmwxcgfe.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
284	zprvhnzj.exe
572	zprvhnzj.exe
572	zprvhnzj.exe
572	zprvhnzj.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	WINWORD.EXE
1916	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 596	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	28
PID 2016 wrote to memory of 596	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	28
PID 2016 wrote to memory of 596	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	28
PID 2016 wrote to memory of 596	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	28
PID 2016 wrote to memory of 1908	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	29
PID 2016 wrote to memory of 1908	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	29
PID 2016 wrote to memory of 1908	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	29
PID 2016 wrote to memory of 1908	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	29
PID 2016 wrote to memory of 572	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	30
PID 2016 wrote to memory of 572	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	30
PID 2016 wrote to memory of 572	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	30
PID 2016 wrote to memory of 572	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	30
PID 2016 wrote to memory of 1288	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	31
PID 2016 wrote to memory of 1288	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	31
PID 2016 wrote to memory of 1288	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	31
PID 2016 wrote to memory of 1288	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	31
PID 596 wrote to memory of 284	596	wcmvzeodlb.exe	32
PID 596 wrote to memory of 284	596	wcmvzeodlb.exe	32
PID 596 wrote to memory of 284	596	wcmvzeodlb.exe	32
PID 596 wrote to memory of 284	596	wcmvzeodlb.exe	32
PID 2016 wrote to memory of 1916	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	33
PID 2016 wrote to memory of 1916	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	33
PID 2016 wrote to memory of 1916	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	33
PID 2016 wrote to memory of 1916	2016	c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe	33
PID 1916 wrote to memory of 2044	1916	WINWORD.EXE	37
PID 1916 wrote to memory of 2044	1916	WINWORD.EXE	37
PID 1916 wrote to memory of 2044	1916	WINWORD.EXE	37
PID 1916 wrote to memory of 2044	1916	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe
"C:\Users\Admin\AppData\Local\Temp\c6e995ad9de5b99562665772c0af10d1c9afe524145076bff599a3e6f0ba7d92.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\wcmvzeodlb.exe
  wcmvzeodlb.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\zprvhnzj.exe
    C:\Windows\system32\zprvhnzj.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:284
- C:\Windows\SysWOW64\rycrfkdjikkbpfd.exe
  rycrfkdjikkbpfd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1908
- C:\Windows\SysWOW64\zprvhnzj.exe
  zprvhnzj.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:572
- C:\Windows\SysWOW64\dfthhmmwxcgfe.exe
  dfthhmmwxcgfe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1288
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
dba30657cb8554fbf4e247817633a1ea

SHA1
4fa7692246bbde5863ecd8fe7be4fc7dfdc06e7c

SHA256
e9e212600a33690a1cba034f6f24fe0eed125536347c69901d36b8d815ac9a74

SHA512
16adef936c17259ea38e0ef871e2be4d85516ef8ff9cfbf8a0fc7b0e337274b979d5ef3335e783955c0f580e02a6eee7cac25a6d990b7c7cdd39a2736de45779

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
71def9dd200f76bca7c2b4ea5412fc11

SHA1
f0d2d36cb55d75644fbfed91a0008d611b7ae419

SHA256
f67a26fe4d6cac042430b631243c32cc7e4c3d191115a9663bb79ce581252d6d

SHA512
515dd63536ef8659f0599c6b3d7b844732a95a4f36b3667190862a6ec0fb2b92bc4df521b13190b9b3a7239f9daf62356044282edf69618f53ff02544a034224

Download Submit
C:\Windows\SysWOW64\dfthhmmwxcgfe.exe

Filesize
255KB

MD5
fecdde49741becb55eac2acfe961b295

SHA1
0c7679e4af59329fe7657dac4a65d2c32e7d24fc

SHA256
0038574b9685a08b48d395555f815e4082d3260e2233b986f880d5bf82278a90

SHA512
5e8e943bd202204109632a05b8f717e43f262ac0aae51b0ba95ad0f9bd4f1102e25f6927f71bc3549183c41fdadd6f807e3ba998f1ac7f6700a02758a7d6c55a

Download Submit
C:\Windows\SysWOW64\dfthhmmwxcgfe.exe

Filesize
255KB

MD5
fecdde49741becb55eac2acfe961b295

SHA1
0c7679e4af59329fe7657dac4a65d2c32e7d24fc

SHA256
0038574b9685a08b48d395555f815e4082d3260e2233b986f880d5bf82278a90

SHA512
5e8e943bd202204109632a05b8f717e43f262ac0aae51b0ba95ad0f9bd4f1102e25f6927f71bc3549183c41fdadd6f807e3ba998f1ac7f6700a02758a7d6c55a

Download Submit
C:\Windows\SysWOW64\rycrfkdjikkbpfd.exe

Filesize
255KB

MD5
e148766ad2c6e4ef76fe1f94eaab4209

SHA1
965cb454359e9056ab212e7aaf80c05599b72816

SHA256
f9ca82aeb283ebb4ef7d5d2c0b8d7aaa96ffa8069eaefbbd88751a1caecb029f

SHA512
5552183b1068bd20a48d0b744217aa1d4d5c1e9fa5381481cd069f971f4a438fe06eee98e4720dbbfa3f01df20953950b68b51c1deb28bbd1dccee177afb7064

Download Submit
C:\Windows\SysWOW64\rycrfkdjikkbpfd.exe

Filesize
255KB

MD5
e148766ad2c6e4ef76fe1f94eaab4209

SHA1
965cb454359e9056ab212e7aaf80c05599b72816

SHA256
f9ca82aeb283ebb4ef7d5d2c0b8d7aaa96ffa8069eaefbbd88751a1caecb029f

SHA512
5552183b1068bd20a48d0b744217aa1d4d5c1e9fa5381481cd069f971f4a438fe06eee98e4720dbbfa3f01df20953950b68b51c1deb28bbd1dccee177afb7064

Download Submit
C:\Windows\SysWOW64\wcmvzeodlb.exe

Filesize
255KB

MD5
0f68c2de4d5e16d3a459baa16239a1b8

SHA1
95856a942889deee31b3bc0886bd87f7d3ac629c

SHA256
4299c7b644f69217e4fec227c81622746eb18846e745522b0979cf630f3b9170

SHA512
5bcf4f045c211870510b4931799b626ed83275f99a18b379087cc1bc9adf5c277f4de92439fe5ef675769b689f5902da90961482e50d01042a507fee0735bd98

Download Submit
C:\Windows\SysWOW64\wcmvzeodlb.exe

Filesize
255KB

MD5
0f68c2de4d5e16d3a459baa16239a1b8

SHA1
95856a942889deee31b3bc0886bd87f7d3ac629c

SHA256
4299c7b644f69217e4fec227c81622746eb18846e745522b0979cf630f3b9170

SHA512
5bcf4f045c211870510b4931799b626ed83275f99a18b379087cc1bc9adf5c277f4de92439fe5ef675769b689f5902da90961482e50d01042a507fee0735bd98

Download Submit
C:\Windows\SysWOW64\zprvhnzj.exe

Filesize
255KB

MD5
0d50ae27b686d6caabbf78d74a04eb89

SHA1
4dcd70f2c328bc3c588f3ad49a388889f8fc2ffd

SHA256
56c19773fb5fe562abe20ec7711b6669ff973c7ab9f0a5c020f634944fae9d8a

SHA512
9fe6f662e44b25df0b13cc1a97ddac56bf65a6b99e27462512b7db94f039af1ffbde3fbce6a24ad0f140e97aa977d1a8edbc9354e89968f0adb441cab18cc8c0

Download Submit
C:\Windows\SysWOW64\zprvhnzj.exe

Filesize
255KB

MD5
0d50ae27b686d6caabbf78d74a04eb89

SHA1
4dcd70f2c328bc3c588f3ad49a388889f8fc2ffd

SHA256
56c19773fb5fe562abe20ec7711b6669ff973c7ab9f0a5c020f634944fae9d8a

SHA512
9fe6f662e44b25df0b13cc1a97ddac56bf65a6b99e27462512b7db94f039af1ffbde3fbce6a24ad0f140e97aa977d1a8edbc9354e89968f0adb441cab18cc8c0

Download Submit
C:\Windows\SysWOW64\zprvhnzj.exe

Filesize
255KB

MD5
0d50ae27b686d6caabbf78d74a04eb89

SHA1
4dcd70f2c328bc3c588f3ad49a388889f8fc2ffd

SHA256
56c19773fb5fe562abe20ec7711b6669ff973c7ab9f0a5c020f634944fae9d8a

SHA512
9fe6f662e44b25df0b13cc1a97ddac56bf65a6b99e27462512b7db94f039af1ffbde3fbce6a24ad0f140e97aa977d1a8edbc9354e89968f0adb441cab18cc8c0

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\dfthhmmwxcgfe.exe

Filesize
255KB

MD5
fecdde49741becb55eac2acfe961b295

SHA1
0c7679e4af59329fe7657dac4a65d2c32e7d24fc

SHA256
0038574b9685a08b48d395555f815e4082d3260e2233b986f880d5bf82278a90

SHA512
5e8e943bd202204109632a05b8f717e43f262ac0aae51b0ba95ad0f9bd4f1102e25f6927f71bc3549183c41fdadd6f807e3ba998f1ac7f6700a02758a7d6c55a

Download Submit
\Windows\SysWOW64\rycrfkdjikkbpfd.exe

Filesize
255KB

MD5
e148766ad2c6e4ef76fe1f94eaab4209

SHA1
965cb454359e9056ab212e7aaf80c05599b72816

SHA256
f9ca82aeb283ebb4ef7d5d2c0b8d7aaa96ffa8069eaefbbd88751a1caecb029f

SHA512
5552183b1068bd20a48d0b744217aa1d4d5c1e9fa5381481cd069f971f4a438fe06eee98e4720dbbfa3f01df20953950b68b51c1deb28bbd1dccee177afb7064

Download Submit
\Windows\SysWOW64\wcmvzeodlb.exe

Filesize
255KB

MD5
0f68c2de4d5e16d3a459baa16239a1b8

SHA1
95856a942889deee31b3bc0886bd87f7d3ac629c

SHA256
4299c7b644f69217e4fec227c81622746eb18846e745522b0979cf630f3b9170

SHA512
5bcf4f045c211870510b4931799b626ed83275f99a18b379087cc1bc9adf5c277f4de92439fe5ef675769b689f5902da90961482e50d01042a507fee0735bd98

Download Submit
\Windows\SysWOW64\zprvhnzj.exe

Filesize
255KB

MD5
0d50ae27b686d6caabbf78d74a04eb89

SHA1
4dcd70f2c328bc3c588f3ad49a388889f8fc2ffd

SHA256
56c19773fb5fe562abe20ec7711b6669ff973c7ab9f0a5c020f634944fae9d8a

SHA512
9fe6f662e44b25df0b13cc1a97ddac56bf65a6b99e27462512b7db94f039af1ffbde3fbce6a24ad0f140e97aa977d1a8edbc9354e89968f0adb441cab18cc8c0

Download Submit
\Windows\SysWOW64\zprvhnzj.exe

Filesize
255KB

MD5
0d50ae27b686d6caabbf78d74a04eb89

SHA1
4dcd70f2c328bc3c588f3ad49a388889f8fc2ffd

SHA256
56c19773fb5fe562abe20ec7711b6669ff973c7ab9f0a5c020f634944fae9d8a

SHA512
9fe6f662e44b25df0b13cc1a97ddac56bf65a6b99e27462512b7db94f039af1ffbde3fbce6a24ad0f140e97aa977d1a8edbc9354e89968f0adb441cab18cc8c0

Download Submit
memory/284-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/284-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/572-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/572-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-76-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/596-89-0x0000000003CA0000-0x0000000003D40000-memory.dmp

Filesize
640KB

Download
memory/1288-79-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1288-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1908-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1908-77-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1916-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1916-87-0x0000000072DC1000-0x0000000072DC4000-memory.dmp

Filesize
12KB

Download
memory/1916-94-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download
memory/1916-105-0x000000007182D000-0x0000000071838000-memory.dmp

Filesize
44KB

Download
memory/1916-88-0x0000000070841000-0x0000000070843000-memory.dmp

Filesize
8KB

Download
memory/1916-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2016-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/2016-74-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2016-75-0x0000000002EB0000-0x0000000002F50000-memory.dmp

Filesize
640KB

Download
memory/2016-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2044-101-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download