Malware Analysis Report

2025-08-10 22:51

Sample ID 240107-x2kxesccgk
Target acacf07347ddcc9e387db0e4b34c443b.exe
SHA256 378b9ddad58713a141c9d024072c52b07d558129a576288469bd1c0fc0f8909b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

378b9ddad58713a141c9d024072c52b07d558129a576288469bd1c0fc0f8909b

Threat Level: Known bad

The file acacf07347ddcc9e387db0e4b34c443b.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elxeeltg = "tfhzyegewp.exe" C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\emvgskgm = "zwxsmvdczunjwvo.exe" C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "swxcfvamnuxom.exe" C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vzmoklvn.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File created C:\Windows\SysWOW64\tfhzyegewp.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File created C:\Windows\SysWOW64\vzmoklvn.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File created C:\Windows\SysWOW64\swxcfvamnuxom.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\swxcfvamnuxom.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\tfhzyegewp.exe N/A
File opened for modification C:\Windows\SysWOW64\tfhzyegewp.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File created C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\vzmoklvn.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vzmoklvn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7E9C2182556D3576D570212CDB7CF265D9" C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFF9CAFE65F2E3837D3A47869F3992B3FC03F143660333E2C945E608A5" C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02047E339ED53C5BAA53393D7C8" C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BB9FF6C21DDD20CD0A28B7D9114" C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C67C14E4DAC7B9BE7C94EDE034BD" C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8BFCFB4F2885129145D6217D94BDE0E13C5842664F6331D799" C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\tfhzyegewp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\tfhzyegewp.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\tfhzyegewp.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\swxcfvamnuxom.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A
N/A N/A C:\Windows\SysWOW64\vzmoklvn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\tfhzyegewp.exe
PID 1448 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\tfhzyegewp.exe
PID 1448 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\tfhzyegewp.exe
PID 1448 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe
PID 1448 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe
PID 1448 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe
PID 1448 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\vzmoklvn.exe
PID 1448 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\vzmoklvn.exe
PID 1448 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\vzmoklvn.exe
PID 1448 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\swxcfvamnuxom.exe
PID 1448 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\swxcfvamnuxom.exe
PID 1448 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\swxcfvamnuxom.exe
PID 3964 wrote to memory of 908 N/A C:\Windows\SysWOW64\tfhzyegewp.exe C:\Windows\SysWOW64\vzmoklvn.exe
PID 3964 wrote to memory of 908 N/A C:\Windows\SysWOW64\tfhzyegewp.exe C:\Windows\SysWOW64\vzmoklvn.exe
PID 3964 wrote to memory of 908 N/A C:\Windows\SysWOW64\tfhzyegewp.exe C:\Windows\SysWOW64\vzmoklvn.exe
PID 1448 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1448 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe

"C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe"

C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe

zwxsmvdczunjwvo.exe

C:\Windows\SysWOW64\swxcfvamnuxom.exe

swxcfvamnuxom.exe

C:\Windows\SysWOW64\vzmoklvn.exe

vzmoklvn.exe

C:\Windows\SysWOW64\vzmoklvn.exe

C:\Windows\system32\vzmoklvn.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\tfhzyegewp.exe

tfhzyegewp.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/1448-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zwxsmvdczunjwvo.exe

MD5 79c1e3941bc14172199525e8d6583096
SHA1 79de7a0f6d6498c7246091bb1e6f66951ef912b0
SHA256 dce49360f7198cd87c7f32ea2504a27fceefd591f31c2b230d33c5485711b4be
SHA512 909a47fb9b39cacd26369f4dda1104d2b370e750337cd88dd36380e42719369e86548fab256a9da72b2bdf2b92742ac223f7bb1751617fb180abe6fe4199b6db

C:\Windows\SysWOW64\swxcfvamnuxom.exe

MD5 9a551f812d86cdf6514c532573e24a34
SHA1 0bbf3e67c933fe68a10a1cfbb96aef18ddbc3e47
SHA256 cc548ea3528e81d9bc974e7d05b6c627687dc34727ebf03ac826bd2895cbd198
SHA512 d1652fdebf7a4d4c5a1212311809062af7d29ad656e88a8597b6ed0cfae404138a1e61ebc45eb2589a99481345eeb73c9926293d9b3208907f12bb934ef9a63b

C:\Windows\SysWOW64\swxcfvamnuxom.exe

MD5 cb805bee7aa75216b1dc9bf8b25203b6
SHA1 4a1c472f868bcdf1ec39761803dbf866671f46e4
SHA256 e3b0ed66e55f593d46c401f53591cfa841ca6c9a2afec3f7a6e1054fa6dc5ca8
SHA512 bf28a632b7873bba4ec5283226d4dd3610329d7991c7985c8c6923d7fe601bb71cb00141927c262d4a7ac3fa3301dbbb9bf549993056189232af01b334710494

C:\Windows\SysWOW64\vzmoklvn.exe

MD5 d507eb337c9bf257f9eb8c3a4faee017
SHA1 fcc9f8cd78a76e6758339535fccc00f1a934d6fb
SHA256 9bd91befd894bb56cbc1a0ac877b9c6cb0e90249be52847ec82c76075f84c459
SHA512 4774252e6028d0523759f2eab457257f42d5999f91734d325b3727bbdd3b6de5ff200863074b1fb31388d84afbafd0413788f0d28291bb3366b88c27e99cd2f4

C:\Windows\SysWOW64\vzmoklvn.exe

MD5 6662b185f19fbf697c56a25c92de7961
SHA1 0df0c0df0de3724258df2549c583e3c934aca726
SHA256 c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512 c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

C:\Windows\SysWOW64\vzmoklvn.exe

MD5 cc56a59cd2a1fc7d095803278309e94f
SHA1 474703365c3835f10baf6cbd62c2e35345b294af
SHA256 57053ed6659115a8e42516bcba357af0fa18bac4662f9f89b20acb64668f6238
SHA512 dc1843e3d5094a06256b349378a629820a79358f46c95ba05a6cce9d485598dd7a693ffceedc6921f51c97007c0fa495a744f770045112ecf9ca0cb69e353c6d

C:\Windows\SysWOW64\tfhzyegewp.exe

MD5 70cfea252d7cac8082d131bae5959fd1
SHA1 dd62afa324658aa084979551bea0724a947442f9
SHA256 d9f8dd447cf16dbf9b3105b3afbdff7112c50de20dcfcd9e1641617b9c9dfc53
SHA512 a2299c97a1f52ed54f11eb10151751a96b7c9879408e936fec4e14a334e56c9780006cb00dc36473ee9252d267f0de5af939b3a09b8c6c2c20e80f4510ffe9d3

C:\Windows\SysWOW64\vzmoklvn.exe

MD5 cc727bf87e75e50d52a07aae13046485
SHA1 1e3f482c3e5ce033458667b8600f90037a39f88c
SHA256 a030d652d6e7aa73d0ee0f3cdc1c4c4de60b34c67e8ad81e9dccaf28e833871b
SHA512 a724410143e813afcfba5b3033840a919bc1205f8a9cfbcfc8191d241051f10fa3d11bbaa5beabadb9b4456c717ec541013d42e125216620f2988a0f6acee44e

memory/4720-41-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-45-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-46-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-47-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-48-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-49-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-50-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-44-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-43-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-42-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-40-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-39-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-38-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-37-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-51-0x00007FF8F37E0000-0x00007FF8F37F0000-memory.dmp

memory/4720-52-0x00007FF8F37E0000-0x00007FF8F37F0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b5c8b01ee73872254587327734b4f9f6
SHA1 c2305198ef4e46cc61aef2cc044ea155d0b34fcf
SHA256 6d1ecc503df4fe8fcf81c48405c59acda6335a11882edd80fed3449d65484c3b
SHA512 4be3e14b6d9d99dffffa4a7b95c2c7b233b3c7df92864ee0716e7d2d987566859a384dacb70cd70e4182c3a550f0cb2cc7c1d110fbe30331a335e2b68bd317bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 82db9a3c76e709d475569399b2b2a782
SHA1 d3122c057104a3447ecb97f0e9c3ea8f7b4de7c8
SHA256 50c51d26600b58781f947c68247bb2d1532ebc87709dc76f749fc5cc7d86436f
SHA512 8bc9609ea0709c704ebf128ba0f09b6eafc967b565573408790411f37c1daf2b64497ab7d7bd53eb2e988879cddeb3b3041300258ef9b35284b798d6685357c5

memory/4720-100-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-101-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-102-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 e4220ac6b1db6808586fe75f2acfae7f
SHA1 27fd4c22b66808397f70c7d5d743540a4bd15574
SHA256 5c361372c53eb817170fb78a18d3c5775cf60e7f5ea095441a62b4220ac9b242
SHA512 5766e5e9b484288992cb935f9d9e05f62c7d196d2e6c072c5cd12f0b809f8cb53cfb19f0962ecfe419db3f8ebabf48d2110557db2cb864b7de142343e860a8d0

memory/4720-128-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-129-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-130-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-131-0x00007FF8F5B30000-0x00007FF8F5B40000-memory.dmp

memory/4720-132-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-133-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

memory/4720-134-0x00007FF935AB0000-0x00007FF935CA5000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 8db9b7c35708c23a8581cb4c242fdcae
SHA1 965958feb7aab118f7ba2ca1dcef8d73eddbbde9
SHA256 9f4854b746995fb8cece0b8a11c33d97b4543e32bc3e0e5fb46e9c2e8378398c
SHA512 b0bfe295751221540131831406cb0ca30f8a9e0f98aa07c26fb39386036d9f8e9ac5f1f35a0f9f15ffc6c4b5f9b98e08d9345e532571b85125e2a948afd9b072

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:24

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gsrpjbjlmeoal.exe" C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lrrbtige = "zvvrsraxcl.exe" C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lcfmfjiq = "wjcyqyysmurgtuz.exe" C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bnrndwmv.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File created C:\Windows\SysWOW64\bnrndwmv.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\gsrpjbjlmeoal.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
File created C:\Windows\SysWOW64\zvvrsraxcl.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\zvvrsraxcl.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File created C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\SysWOW64\bnrndwmv.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File created C:\Windows\SysWOW64\gsrpjbjlmeoal.exe C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File created \??\c:\Program Files\PublishRevoke.doc.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification \??\c:\Program Files\PublishRevoke.doc.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification \??\c:\Program Files\PublishRevoke.doc.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files\PublishRevoke.doc.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files\PublishRevoke.doc.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files\PublishRevoke.nal C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files\PublishRevoke.nal C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\bnrndwmv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\bnrndwmv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\zvvrsraxcl.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrndwmv.exe N/A
N/A N/A C:\Windows\SysWOW64\gsrpjbjlmeoal.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zvvrsraxcl.exe
PID 2452 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zvvrsraxcl.exe
PID 2452 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zvvrsraxcl.exe
PID 2452 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\zvvrsraxcl.exe
PID 2452 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe
PID 2452 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe
PID 2452 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe
PID 2452 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2452 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\gsrpjbjlmeoal.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\gsrpjbjlmeoal.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\gsrpjbjlmeoal.exe
PID 2452 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Windows\SysWOW64\gsrpjbjlmeoal.exe
PID 2852 wrote to memory of 2624 N/A C:\Windows\SysWOW64\zvvrsraxcl.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2852 wrote to memory of 2624 N/A C:\Windows\SysWOW64\zvvrsraxcl.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2852 wrote to memory of 2624 N/A C:\Windows\SysWOW64\zvvrsraxcl.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2852 wrote to memory of 2624 N/A C:\Windows\SysWOW64\zvvrsraxcl.exe C:\Windows\SysWOW64\bnrndwmv.exe
PID 2452 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2452 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2452 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2452 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3044 wrote to memory of 1644 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3044 wrote to memory of 1644 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3044 wrote to memory of 1644 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3044 wrote to memory of 1644 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe

"C:\Users\Admin\AppData\Local\Temp\acacf07347ddcc9e387db0e4b34c443b.exe"

C:\Windows\SysWOW64\zvvrsraxcl.exe

zvvrsraxcl.exe

C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe

wjcyqyysmurgtuz.exe

C:\Windows\SysWOW64\bnrndwmv.exe

bnrndwmv.exe

C:\Windows\SysWOW64\gsrpjbjlmeoal.exe

gsrpjbjlmeoal.exe

C:\Windows\SysWOW64\bnrndwmv.exe

C:\Windows\system32\bnrndwmv.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2452-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wjcyqyysmurgtuz.exe

MD5 d1d580eb3eca64769538e170f034a4dc
SHA1 0b99088c88364833b2e492abe5ab0e854a329df8
SHA256 1a1046eab15ba8a58e7abb6017145a87e27e6bbf17889d3dddecaf52975a719b
SHA512 2316d89cdc5e435603cad0bcc49fa5591fe4a2fe259a95630be37a44d6fa555a829bd4144a767e936abec51d7bf04d6fb307c98c9ff34e3829d0f19985e41853

\Windows\SysWOW64\zvvrsraxcl.exe

MD5 8cd1af42ae052582502911fd36fe80bc
SHA1 69a2ffaccf8836cf05fd25d368dd33bff5c3f106
SHA256 1f9fca700b8cebdaab6877491e8b2a00e25b0f0775fadf89a3579d345f341577
SHA512 8a9368f71cf2a0eea27693abcf61baa27557118130950b8850102a2930513f5b2fb5deb65da14537dfd4b0557b7e6376509c3d386072c4689f19aca49d293aa0

C:\Windows\SysWOW64\bnrndwmv.exe

MD5 ce96e83ddbc643a5922bcba051d50b2f
SHA1 04e9fd083ec6f1868deab64bee37d0845e483419
SHA256 29fb7e1588e0c20b745ae80208edabc2f4b418f0b39a9d4163aefa9ad9f143d9
SHA512 49e762024ebc2550a5ad583d4d725b1c473f00532f5362f36f0e080ec3aced0ff3d3eaf8e20474a9601ca0257f3ad463dc30bce3aa31ecc66cb6824e3e868dd1

C:\Windows\SysWOW64\gsrpjbjlmeoal.exe

MD5 4630bf4dbf99377e79918cee32a3c659
SHA1 d51f259788f003f325c079865e10e77871bcd465
SHA256 0f29fbe810c44ca3646b2979d50d135bb4351c79d264bae6512aa8b7f8198f5a
SHA512 b3e9c6ab56d6575492d5542272537ca3aa0c941b774210ad38e6ffbaa7df28f584fe5a2fefec2d5e0602bef56893a54e4f1a105c1f2f67599a19c35e5976cb47

memory/3044-45-0x000000002F4A1000-0x000000002F4A2000-memory.dmp

memory/3044-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/3044-47-0x00000000715BD000-0x00000000715C8000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files\PublishRevoke.doc.exe

MD5 510f341b1d95369ab07778bcdc03747f
SHA1 96329d5de60b383a9b4121e05a559050e5b36ef3
SHA256 a4b6eae1caff6a68901d658790738a2654027c982ff1a7273a38f7e30fc08bdf
SHA512 15cfd9aa3f0ae7a10c8f4c529b0610e7a098c55451ee64f4db4e6f5a4f1f5f7c0bf431aeb8c6761152ba0bc58588b2969845cb641d30b4ed5eab092abb365bf6

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 c5b975488c14e10f0f93f41ef543a41b
SHA1 1e3e5c5d69f2f95c9a275374b098308c5172e4e1
SHA256 95a0865cf539228afc0f23f854b8b47265648af810ffb0ad1144e70f8a1e864e
SHA512 5b1639e3aa561ecd9fc005f00ab547f4a808b96516361f23f700b324b4ef197da09422b379e26db6d06ec8bde017089ad3c04d92f45a3a21ac011e9efa6fc75b

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 127c49c0d6341ba4c28db438a9418464
SHA1 0576206c0109149331fa79923af9574b564ab8e4
SHA256 3e14736828bc10c0007d7d1e60c5075b3c2d26dda7336a4f5e441125634263b5
SHA512 6bdcfe19ca096439808566e7b15619031f81657485078e39144714db2258db117e8f5106747e637e2782045f07fc88734601475638bc4a244798c7dad65e72c4

memory/2916-84-0x00000000040B0000-0x00000000040B1000-memory.dmp

memory/3044-89-0x00000000715BD000-0x00000000715C8000-memory.dmp

memory/2916-91-0x00000000040B0000-0x00000000040B1000-memory.dmp

memory/2916-96-0x0000000002680000-0x0000000002690000-memory.dmp