b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
Size

512KB
MD5

6f91d104958a5ca488ef235eec0c5cb4
SHA1

da2b08f41effa470dc52346de414c245ecd7a464
SHA256

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee
SHA512

d267842ff5fd158fe1700cfa7be1c6b086e9cb12a86f836e068adddc1574793a5a08f1b8d299c188ca597a036bd191612df3f32c0a9f360a99eb3f183be6527d
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6z:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5G

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

kyismztmvx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	kyismztmvx.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

kyismztmvx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kyismztmvx.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

kyismztmvx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	kyismztmvx.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

kyismztmvx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kyismztmvx.exe

Executes dropped EXE 5 IoCs

Processes:

kyismztmvx.exepgnzxgnvnyckzxc.exeaeojygxf.exegcbtpvyrcucnd.exeaeojygxf.exe

pid process

2948 kyismztmvx.exe
2544 pgnzxgnvnyckzxc.exe
2636 aeojygxf.exe
2740 gcbtpvyrcucnd.exe
2652 aeojygxf.exe

pid	process
2948	kyismztmvx.exe
2544	pgnzxgnvnyckzxc.exe
2636	aeojygxf.exe
2740	gcbtpvyrcucnd.exe
2652	aeojygxf.exe

Loads dropped DLL 5 IoCs

Processes:

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exekyismztmvx.exe

pid	process
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
2948	kyismztmvx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

kyismztmvx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	kyismztmvx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

pgnzxgnvnyckzxc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dgtyvatv = "kyismztmvx.exe"	pgnzxgnvnyckzxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tuepexyv = "pgnzxgnvnyckzxc.exe"	pgnzxgnvnyckzxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gcbtpvyrcucnd.exe"	pgnzxgnvnyckzxc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aeojygxf.exekyismztmvx.exeaeojygxf.exe

description	ioc	process
File opened (read-only)	\??\a:	aeojygxf.exe
File opened (read-only)	\??\b:	kyismztmvx.exe
File opened (read-only)	\??\m:	aeojygxf.exe
File opened (read-only)	\??\r:	aeojygxf.exe
File opened (read-only)	\??\t:	kyismztmvx.exe
File opened (read-only)	\??\a:	aeojygxf.exe
File opened (read-only)	\??\h:	aeojygxf.exe
File opened (read-only)	\??\t:	aeojygxf.exe
File opened (read-only)	\??\e:	aeojygxf.exe
File opened (read-only)	\??\e:	kyismztmvx.exe
File opened (read-only)	\??\s:	aeojygxf.exe
File opened (read-only)	\??\u:	kyismztmvx.exe
File opened (read-only)	\??\g:	aeojygxf.exe
File opened (read-only)	\??\k:	aeojygxf.exe
File opened (read-only)	\??\v:	aeojygxf.exe
File opened (read-only)	\??\g:	aeojygxf.exe
File opened (read-only)	\??\l:	aeojygxf.exe
File opened (read-only)	\??\l:	kyismztmvx.exe
File opened (read-only)	\??\r:	kyismztmvx.exe
File opened (read-only)	\??\s:	kyismztmvx.exe
File opened (read-only)	\??\n:	aeojygxf.exe
File opened (read-only)	\??\v:	aeojygxf.exe
File opened (read-only)	\??\k:	kyismztmvx.exe
File opened (read-only)	\??\o:	kyismztmvx.exe
File opened (read-only)	\??\j:	kyismztmvx.exe
File opened (read-only)	\??\w:	kyismztmvx.exe
File opened (read-only)	\??\z:	kyismztmvx.exe
File opened (read-only)	\??\m:	aeojygxf.exe
File opened (read-only)	\??\x:	aeojygxf.exe
File opened (read-only)	\??\a:	kyismztmvx.exe
File opened (read-only)	\??\p:	kyismztmvx.exe
File opened (read-only)	\??\i:	aeojygxf.exe
File opened (read-only)	\??\i:	aeojygxf.exe
File opened (read-only)	\??\q:	aeojygxf.exe
File opened (read-only)	\??\z:	aeojygxf.exe
File opened (read-only)	\??\o:	aeojygxf.exe
File opened (read-only)	\??\i:	kyismztmvx.exe
File opened (read-only)	\??\l:	aeojygxf.exe
File opened (read-only)	\??\x:	aeojygxf.exe
File opened (read-only)	\??\n:	aeojygxf.exe
File opened (read-only)	\??\s:	aeojygxf.exe
File opened (read-only)	\??\g:	kyismztmvx.exe
File opened (read-only)	\??\u:	aeojygxf.exe
File opened (read-only)	\??\h:	kyismztmvx.exe
File opened (read-only)	\??\v:	kyismztmvx.exe
File opened (read-only)	\??\j:	aeojygxf.exe
File opened (read-only)	\??\e:	aeojygxf.exe
File opened (read-only)	\??\w:	aeojygxf.exe
File opened (read-only)	\??\z:	aeojygxf.exe
File opened (read-only)	\??\b:	aeojygxf.exe
File opened (read-only)	\??\r:	aeojygxf.exe
File opened (read-only)	\??\m:	kyismztmvx.exe
File opened (read-only)	\??\p:	aeojygxf.exe
File opened (read-only)	\??\y:	aeojygxf.exe
File opened (read-only)	\??\q:	kyismztmvx.exe
File opened (read-only)	\??\b:	aeojygxf.exe
File opened (read-only)	\??\j:	aeojygxf.exe
File opened (read-only)	\??\k:	aeojygxf.exe
File opened (read-only)	\??\p:	aeojygxf.exe
File opened (read-only)	\??\y:	aeojygxf.exe
File opened (read-only)	\??\t:	aeojygxf.exe
File opened (read-only)	\??\u:	aeojygxf.exe
File opened (read-only)	\??\n:	kyismztmvx.exe
File opened (read-only)	\??\y:	kyismztmvx.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

kyismztmvx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	kyismztmvx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	kyismztmvx.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1268-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
C:\Windows\SysWOW64\pgnzxgnvnyckzxc.exe	autoit_exe
\Windows\SysWOW64\kyismztmvx.exe	autoit_exe
\Windows\SysWOW64\aeojygxf.exe	autoit_exe
\Windows\SysWOW64\gcbtpvyrcucnd.exe	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

kyismztmvx.exeb6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	kyismztmvx.exe
File opened for modification	C:\Windows\SysWOW64\kyismztmvx.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File opened for modification	C:\Windows\SysWOW64\aeojygxf.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File opened for modification	C:\Windows\SysWOW64\gcbtpvyrcucnd.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File created	C:\Windows\SysWOW64\aeojygxf.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File created	C:\Windows\SysWOW64\gcbtpvyrcucnd.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File created	C:\Windows\SysWOW64\kyismztmvx.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File created	C:\Windows\SysWOW64\pgnzxgnvnyckzxc.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File opened for modification	C:\Windows\SysWOW64\pgnzxgnvnyckzxc.exe	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe

Drops file in Program Files directory 14 IoCs

Processes:

aeojygxf.exeaeojygxf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	aeojygxf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	aeojygxf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aeojygxf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aeojygxf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	aeojygxf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	aeojygxf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	aeojygxf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	aeojygxf.exe

Drops file in Windows directory 5 IoCs

Processes:

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEkyismztmvx.exeb6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	kyismztmvx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	kyismztmvx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	kyismztmvx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FACAF963F29384783B4686EE3E97B08103FD43120332E2C445E808A9"	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	kyismztmvx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	kyismztmvx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	kyismztmvx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1944C77415E7DBC2B8C17F95EC9737CF"	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2416 WINWORD.EXE

pid	process
2416	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exekyismztmvx.exeaeojygxf.exepgnzxgnvnyckzxc.exegcbtpvyrcucnd.exeaeojygxf.exe

pid	process
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2652	aeojygxf.exe
2652	aeojygxf.exe
2652	aeojygxf.exe
2652	aeojygxf.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2544	pgnzxgnvnyckzxc.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exekyismztmvx.exeaeojygxf.exepgnzxgnvnyckzxc.exegcbtpvyrcucnd.exeaeojygxf.exe

pid	process
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2652	aeojygxf.exe
2652	aeojygxf.exe
2652	aeojygxf.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exekyismztmvx.exeaeojygxf.exepgnzxgnvnyckzxc.exegcbtpvyrcucnd.exeaeojygxf.exe

pid	process
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2948	kyismztmvx.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2636	aeojygxf.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2544	pgnzxgnvnyckzxc.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2740	gcbtpvyrcucnd.exe
2652	aeojygxf.exe
2652	aeojygxf.exe
2652	aeojygxf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2416 WINWORD.EXE
2416 WINWORD.EXE

pid	process
2416	WINWORD.EXE
2416	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exekyismztmvx.exeWINWORD.EXE

description	pid	process	target process
PID 1268 wrote to memory of 2948	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	kyismztmvx.exe
PID 1268 wrote to memory of 2948	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	kyismztmvx.exe
PID 1268 wrote to memory of 2948	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	kyismztmvx.exe
PID 1268 wrote to memory of 2948	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	kyismztmvx.exe
PID 1268 wrote to memory of 2544	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	pgnzxgnvnyckzxc.exe
PID 1268 wrote to memory of 2544	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	pgnzxgnvnyckzxc.exe
PID 1268 wrote to memory of 2544	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	pgnzxgnvnyckzxc.exe
PID 1268 wrote to memory of 2544	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	pgnzxgnvnyckzxc.exe
PID 1268 wrote to memory of 2636	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	aeojygxf.exe
PID 1268 wrote to memory of 2636	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	aeojygxf.exe
PID 1268 wrote to memory of 2636	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	aeojygxf.exe
PID 1268 wrote to memory of 2636	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	aeojygxf.exe
PID 1268 wrote to memory of 2740	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	gcbtpvyrcucnd.exe
PID 1268 wrote to memory of 2740	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	gcbtpvyrcucnd.exe
PID 1268 wrote to memory of 2740	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	gcbtpvyrcucnd.exe
PID 1268 wrote to memory of 2740	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	gcbtpvyrcucnd.exe
PID 2948 wrote to memory of 2652	2948	kyismztmvx.exe	aeojygxf.exe
PID 2948 wrote to memory of 2652	2948	kyismztmvx.exe	aeojygxf.exe
PID 2948 wrote to memory of 2652	2948	kyismztmvx.exe	aeojygxf.exe
PID 2948 wrote to memory of 2652	2948	kyismztmvx.exe	aeojygxf.exe
PID 1268 wrote to memory of 2416	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	WINWORD.EXE
PID 1268 wrote to memory of 2416	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	WINWORD.EXE
PID 1268 wrote to memory of 2416	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	WINWORD.EXE
PID 1268 wrote to memory of 2416	1268	b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe	WINWORD.EXE
PID 2416 wrote to memory of 1684	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 1684	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 1684	2416	WINWORD.EXE	splwow64.exe
PID 2416 wrote to memory of 1684	2416	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe
"C:\Users\Admin\AppData\Local\Temp\b6f0f81ecbef63b78f96402aea3b00e8443acaa76c130d9ba685c517cdae21ee.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\kyismztmvx.exe
  kyismztmvx.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\aeojygxf.exe
    C:\Windows\system32\aeojygxf.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2652
- C:\Windows\SysWOW64\pgnzxgnvnyckzxc.exe
  pgnzxgnvnyckzxc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2544
- C:\Windows\SysWOW64\aeojygxf.exe
  aeojygxf.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2636
- C:\Windows\SysWOW64\gcbtpvyrcucnd.exe
  gcbtpvyrcucnd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2740
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
af2849d3a20c640a3f7f774baed42943

SHA1
8fd0e835564b7613a4cc13d168cf47dca94cc6fe

SHA256
1468d28e2b03ea0dcb4bb816f47765a22ea654bd1853215e736606fbe02eb97b

SHA512
541bf826903e4139646160ae2c7856a67846a9bd65efce79c8645e8beda86d077c964d4c17d4ff2f0f512eb59cb686b2b7750c456dc808fe33d9929fc99f93e2

Download Submit
C:\Windows\SysWOW64\pgnzxgnvnyckzxc.exe

Filesize
512KB

MD5
951f65f1b2580bed8ae8f874fe8bf5e2

SHA1
cbf6d015a0c01491192a0cc6ee2ece17948eae82

SHA256
714d1f136db7549b310944ffea37e80e99923105981b097dc1849dedbe8d6c50

SHA512
99902e666d5b2eeb6ffb6c7cad82c1b7bacb674a553e68b95857e39d0db5ac80429a04848e0c6dfbf3243ddb98c4ef1168454e7c6221ecbfcb232dfd51c8ee81

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\aeojygxf.exe

Filesize
512KB

MD5
216b1a5e938097c2fc1882d17094d0d6

SHA1
2f30e439a26fb25add663138d22e32dadd8a3b79

SHA256
26b6edebc787ad8167d677a873210c00f5afda9ef8ff750367ff9ef9acba6d13

SHA512
4440b8f9608153afb2d1de93f282f037786335f9743332d19f845d239d00b78b96eeafad521b5a34eb31e04038d05c16b391b136a84f0f8eb2069a6a2a6a61d4

Download Submit
\Windows\SysWOW64\gcbtpvyrcucnd.exe

Filesize
512KB

MD5
da7e491890e713708554bed448f2e346

SHA1
9bec822f2f775d895ea6bf96285241c0fc7e0905

SHA256
819cf2544ab22696c7e30c5534977454432e55feff2f138b67c9f5f2706e8491

SHA512
522d644092f4c8e01e39c17ee71cb7c59030ce1276bceba13d39ae0eec79cc1d89a28993eff6b7018a43328cf39faa8e07f0ed31bde7fcfcc1fb884c1abfde55

Download Submit
\Windows\SysWOW64\kyismztmvx.exe

Filesize
512KB

MD5
a5378a7e3fdddc40ebf10378d5f1e048

SHA1
b39f2186491d8cec37d9c9716dd2e530fa1b9361

SHA256
84ea60b02224af785c43082853880bc563a1e682ad6557106999594eaf66b0da

SHA512
7c683f56ffc6aff27d1e3ce80e025307ecf2cade26de712f91e0966c11df50296f06b17b46da6d96bd642cce4b3b2e657e5d4f59f622744b16e37dd575992bab

Download Submit
memory/1268-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2416-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2416-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download