Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/10/2022, 10:43
Behavioral task
behavioral1
Sample
cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe
Resource
win7-20220812-en
General
-
Target
cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe
-
Size
255KB
-
MD5
041517df62f8e841367468104014d91a
-
SHA1
469d197f59194f70a58941921de4c14c86f4dceb
-
SHA256
cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15
-
SHA512
0ae84ae5977380d411ba41917c94446a98361dcff643cb952a69317e925470dcc0e18c5069b2be49e0a08e8eeb43343466815bdab5d438a0ca7d71aa0f017d66
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJH:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI2
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jhhbbvlxno.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jhhbbvlxno.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jhhbbvlxno.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jhhbbvlxno.exe -
Executes dropped EXE 6 IoCs
pid Process 1696 jhhbbvlxno.exe 1340 sbkcccbhfwttcda.exe 1104 qglkiver.exe 1344 drbxbxdvesrwj.exe 1504 qglkiver.exe 1372 drbxbxdvesrwj.exe -
resource yara_rule behavioral1/memory/1900-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000c0000000054a8-56.dat upx behavioral1/files/0x000c0000000054a8-58.dat upx behavioral1/files/0x000c0000000054a8-60.dat upx behavioral1/files/0x000b000000012315-61.dat upx behavioral1/files/0x000b000000012315-63.dat upx behavioral1/files/0x0009000000012326-64.dat upx behavioral1/files/0x0009000000012326-66.dat upx behavioral1/files/0x000800000001232e-67.dat upx behavioral1/files/0x000800000001232e-71.dat upx behavioral1/files/0x0009000000012326-73.dat upx behavioral1/files/0x000b000000012315-74.dat upx behavioral1/files/0x000800000001232e-75.dat upx behavioral1/files/0x000800000001232e-82.dat upx behavioral1/files/0x0009000000012326-81.dat upx behavioral1/files/0x0009000000012326-78.dat upx behavioral1/files/0x000800000001232e-77.dat upx behavioral1/memory/1696-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1340-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1104-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1344-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1504-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1372-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1900-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1696-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1340-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1104-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1344-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1504-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1372-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00070000000136c6-107.dat upx behavioral1/files/0x00070000000139e2-108.dat upx behavioral1/files/0x00070000000139fe-109.dat upx behavioral1/files/0x0007000000013a0e-110.dat upx -
Loads dropped DLL 6 IoCs
pid Process 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 708 cmd.exe 1696 jhhbbvlxno.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jhhbbvlxno.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run sbkcccbhfwttcda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yaecwxda = "jhhbbvlxno.exe" sbkcccbhfwttcda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\czaxakah = "sbkcccbhfwttcda.exe" sbkcccbhfwttcda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "drbxbxdvesrwj.exe" sbkcccbhfwttcda.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\q: qglkiver.exe File opened (read-only) \??\v: qglkiver.exe File opened (read-only) \??\e: qglkiver.exe File opened (read-only) \??\a: jhhbbvlxno.exe File opened (read-only) \??\g: jhhbbvlxno.exe File opened (read-only) \??\r: qglkiver.exe File opened (read-only) \??\b: jhhbbvlxno.exe File opened (read-only) \??\m: qglkiver.exe File opened (read-only) \??\s: qglkiver.exe File opened (read-only) \??\u: qglkiver.exe File opened (read-only) \??\l: qglkiver.exe File opened (read-only) \??\r: qglkiver.exe File opened (read-only) \??\e: jhhbbvlxno.exe File opened (read-only) \??\z: jhhbbvlxno.exe File opened (read-only) \??\k: qglkiver.exe File opened (read-only) \??\o: qglkiver.exe File opened (read-only) \??\z: qglkiver.exe File opened (read-only) \??\s: jhhbbvlxno.exe File opened (read-only) \??\w: jhhbbvlxno.exe File opened (read-only) \??\g: qglkiver.exe File opened (read-only) \??\a: qglkiver.exe File opened (read-only) \??\b: qglkiver.exe File opened (read-only) \??\h: qglkiver.exe File opened (read-only) \??\i: qglkiver.exe File opened (read-only) \??\a: qglkiver.exe File opened (read-only) \??\b: qglkiver.exe File opened (read-only) \??\j: jhhbbvlxno.exe File opened (read-only) \??\e: qglkiver.exe File opened (read-only) \??\f: qglkiver.exe File opened (read-only) \??\j: qglkiver.exe File opened (read-only) \??\z: qglkiver.exe File opened (read-only) \??\f: jhhbbvlxno.exe File opened (read-only) \??\t: jhhbbvlxno.exe File opened (read-only) \??\t: qglkiver.exe File opened (read-only) \??\f: qglkiver.exe File opened (read-only) \??\l: qglkiver.exe File opened (read-only) \??\v: qglkiver.exe File opened (read-only) \??\m: qglkiver.exe File opened (read-only) \??\q: qglkiver.exe File opened (read-only) \??\w: qglkiver.exe File opened (read-only) \??\h: qglkiver.exe File opened (read-only) \??\k: qglkiver.exe File opened (read-only) \??\p: qglkiver.exe File opened (read-only) \??\o: jhhbbvlxno.exe File opened (read-only) \??\p: jhhbbvlxno.exe File opened (read-only) \??\u: qglkiver.exe File opened (read-only) \??\g: qglkiver.exe File opened (read-only) \??\j: qglkiver.exe File opened (read-only) \??\l: jhhbbvlxno.exe File opened (read-only) \??\n: qglkiver.exe File opened (read-only) \??\y: qglkiver.exe File opened (read-only) \??\o: qglkiver.exe File opened (read-only) \??\t: qglkiver.exe File opened (read-only) \??\m: jhhbbvlxno.exe File opened (read-only) \??\q: jhhbbvlxno.exe File opened (read-only) \??\y: qglkiver.exe File opened (read-only) \??\k: jhhbbvlxno.exe File opened (read-only) \??\n: jhhbbvlxno.exe File opened (read-only) \??\v: jhhbbvlxno.exe File opened (read-only) \??\x: jhhbbvlxno.exe File opened (read-only) \??\x: qglkiver.exe File opened (read-only) \??\n: qglkiver.exe File opened (read-only) \??\i: jhhbbvlxno.exe File opened (read-only) \??\r: jhhbbvlxno.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jhhbbvlxno.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jhhbbvlxno.exe -
AutoIT Executable 13 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1696-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1340-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1104-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1344-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1504-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1372-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1900-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1696-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1340-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1104-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1344-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1504-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1372-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jhhbbvlxno.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File created C:\Windows\SysWOW64\sbkcccbhfwttcda.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File created C:\Windows\SysWOW64\qglkiver.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\qglkiver.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jhhbbvlxno.exe File created C:\Windows\SysWOW64\jhhbbvlxno.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\sbkcccbhfwttcda.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File created C:\Windows\SysWOW64\drbxbxdvesrwj.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\SysWOW64\drbxbxdvesrwj.exe cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qglkiver.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qglkiver.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qglkiver.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qglkiver.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qglkiver.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qglkiver.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qglkiver.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc jhhbbvlxno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg jhhbbvlxno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" jhhbbvlxno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BB4FE1821DBD10ED1A68A7D916B" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12D47E239E953BEB9D432E9D4C4" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77B15E3DBB3B8BC7C94ED9F34BA" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFACDF966F1E383083B4286993999B08903884213023DE1CD429D08D2" cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jhhbbvlxno.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1780 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1104 qglkiver.exe 1104 qglkiver.exe 1104 qglkiver.exe 1104 qglkiver.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe 1504 qglkiver.exe 1504 qglkiver.exe 1504 qglkiver.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1104 qglkiver.exe 1104 qglkiver.exe 1104 qglkiver.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1696 jhhbbvlxno.exe 1104 qglkiver.exe 1104 qglkiver.exe 1104 qglkiver.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1340 sbkcccbhfwttcda.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1344 drbxbxdvesrwj.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe 1372 drbxbxdvesrwj.exe 1504 qglkiver.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1780 WINWORD.EXE 1780 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1696 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 28 PID 1900 wrote to memory of 1696 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 28 PID 1900 wrote to memory of 1696 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 28 PID 1900 wrote to memory of 1696 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 28 PID 1900 wrote to memory of 1340 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 29 PID 1900 wrote to memory of 1340 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 29 PID 1900 wrote to memory of 1340 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 29 PID 1900 wrote to memory of 1340 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 29 PID 1900 wrote to memory of 1104 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 30 PID 1900 wrote to memory of 1104 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 30 PID 1900 wrote to memory of 1104 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 30 PID 1900 wrote to memory of 1104 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 30 PID 1900 wrote to memory of 1344 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 31 PID 1900 wrote to memory of 1344 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 31 PID 1900 wrote to memory of 1344 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 31 PID 1900 wrote to memory of 1344 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 31 PID 1340 wrote to memory of 708 1340 sbkcccbhfwttcda.exe 32 PID 1340 wrote to memory of 708 1340 sbkcccbhfwttcda.exe 32 PID 1340 wrote to memory of 708 1340 sbkcccbhfwttcda.exe 32 PID 1340 wrote to memory of 708 1340 sbkcccbhfwttcda.exe 32 PID 1696 wrote to memory of 1504 1696 jhhbbvlxno.exe 34 PID 1696 wrote to memory of 1504 1696 jhhbbvlxno.exe 34 PID 1696 wrote to memory of 1504 1696 jhhbbvlxno.exe 34 PID 1696 wrote to memory of 1504 1696 jhhbbvlxno.exe 34 PID 708 wrote to memory of 1372 708 cmd.exe 35 PID 708 wrote to memory of 1372 708 cmd.exe 35 PID 708 wrote to memory of 1372 708 cmd.exe 35 PID 708 wrote to memory of 1372 708 cmd.exe 35 PID 1900 wrote to memory of 1780 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 36 PID 1900 wrote to memory of 1780 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 36 PID 1900 wrote to memory of 1780 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 36 PID 1900 wrote to memory of 1780 1900 cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe 36 PID 1780 wrote to memory of 1912 1780 WINWORD.EXE 40 PID 1780 wrote to memory of 1912 1780 WINWORD.EXE 40 PID 1780 wrote to memory of 1912 1780 WINWORD.EXE 40 PID 1780 wrote to memory of 1912 1780 WINWORD.EXE 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe"C:\Users\Admin\AppData\Local\Temp\cd0156a292ab30feb1503fc1bde45dfa849d947c116ed17a1520923f7e19ed15.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\jhhbbvlxno.exejhhbbvlxno.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\qglkiver.exeC:\Windows\system32\qglkiver.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1504
-
-
-
C:\Windows\SysWOW64\sbkcccbhfwttcda.exesbkcccbhfwttcda.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\cmd.execmd.exe /c drbxbxdvesrwj.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\drbxbxdvesrwj.exedrbxbxdvesrwj.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372
-
-
-
-
C:\Windows\SysWOW64\qglkiver.exeqglkiver.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1104
-
-
C:\Windows\SysWOW64\drbxbxdvesrwj.exedrbxbxdvesrwj.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1344
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1912
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5fe2397b175615a06d437cfcbb016d15d
SHA110b7ae422cf8d1a967d5992eed48c4bb3978cc94
SHA25609aab99af37940233b9621cedd18301558a194afe2aec68b1e75dbbe814a22d3
SHA512504c7ac4055784472b05eb8539ba9c5bbb79151bf4543353033cb33886be02c91f92d8e7442d38c9cbf5aeb1fd99e7a993f47246c5b432e0484290466de71f62
-
Filesize
255KB
MD5e218ccd65a1ec001939cd8e87e8b0625
SHA199d1cba89ca028bf7b703514898b49c6351ff69e
SHA2563fe546e9ec30441a2c57250779d1d8a3a4f2b4a84dd2babffc1b0c946123fe87
SHA51219764849ea402e1d14f99b94e1b84bc363ad90182817ee7351bddc5143ff59284ecaed82bcb0d0aa5b4207744a2a04a712ec5683e0f15a3d3bef9ceb34006904
-
Filesize
255KB
MD5e229c8e696befc4e1124ae5a43075129
SHA173cdea46af78ee10a88448fd304f7aaa064d49ae
SHA256cbdc034f4227d89b2309d9d9f974eed2990869e977455aa0939813aa381f06e1
SHA512665381ebf7b61ad6bd253953e11ff5b0446637ae5be8ed6ab15e7d9ddb1eb60ca68c9025054b68b3ac0a7ce6933c1013a9da1becbac4f6125bf07558bf11f907
-
Filesize
255KB
MD54ad4887df992a88850a3c3dcc94979b7
SHA11df1b76861f759718e426bb5a67c639c4a775a23
SHA25673605cc35573fe0269d09a7636da14534873d51b820890548b0547984ea1c7cf
SHA5127816deb4dab32af05ab46d6de3371f6298abb2c90b0ddeafce9f4628d7da83d54d70fddc5b7e68b1009c92b51a6ebd2a69f25b829236f8eead195d580999ebf8
-
Filesize
255KB
MD5c719e4442b92363bc523aa9bdde02e25
SHA141217499a4dcf25a0c758ce9965e3ce8ef92f664
SHA2562169e9d7c6a99560db0dbd8849877bc99ef58971a835563bbf0c3f3c19ffa024
SHA512c8b73f35355dfae07de1d4bc40aeaa733a0d20f2058d35411e1f994fda6c89db39f35451faecd573d84c1ed1e238fec7856b7d6b9d03b45d069cfc3d40471b8f
-
Filesize
255KB
MD5c719e4442b92363bc523aa9bdde02e25
SHA141217499a4dcf25a0c758ce9965e3ce8ef92f664
SHA2562169e9d7c6a99560db0dbd8849877bc99ef58971a835563bbf0c3f3c19ffa024
SHA512c8b73f35355dfae07de1d4bc40aeaa733a0d20f2058d35411e1f994fda6c89db39f35451faecd573d84c1ed1e238fec7856b7d6b9d03b45d069cfc3d40471b8f
-
Filesize
255KB
MD5c719e4442b92363bc523aa9bdde02e25
SHA141217499a4dcf25a0c758ce9965e3ce8ef92f664
SHA2562169e9d7c6a99560db0dbd8849877bc99ef58971a835563bbf0c3f3c19ffa024
SHA512c8b73f35355dfae07de1d4bc40aeaa733a0d20f2058d35411e1f994fda6c89db39f35451faecd573d84c1ed1e238fec7856b7d6b9d03b45d069cfc3d40471b8f
-
Filesize
255KB
MD555e56f498ebac3b9343ec7b52e4e3611
SHA1e698d7a008e4453dee4109ce7694c929f58b6549
SHA256453e5594280fa0cc5dfa666c462166a42d384a663072eeb69885108712c7ea5f
SHA5121c63b3194a3dd645193e23711af2b886919cce0812fd5c1625e3904a0a95533977cb3fa6e9e59eb6cc80480040cc13398ddd13990ed3da312088bb9c57e9a897
-
Filesize
255KB
MD555e56f498ebac3b9343ec7b52e4e3611
SHA1e698d7a008e4453dee4109ce7694c929f58b6549
SHA256453e5594280fa0cc5dfa666c462166a42d384a663072eeb69885108712c7ea5f
SHA5121c63b3194a3dd645193e23711af2b886919cce0812fd5c1625e3904a0a95533977cb3fa6e9e59eb6cc80480040cc13398ddd13990ed3da312088bb9c57e9a897
-
Filesize
255KB
MD57343afbfa29eb8f4a5e5a62829b55e5a
SHA14075ad569234535ff5ce5f48f976e30d2e7e81e1
SHA256460882503c835ff30e039be82abb29ba9806fa179c6aaa77a77f4835cf60cf50
SHA512a91567bd0dbb3935f1da4db92cf6ce67aa89562de4f8d04963ae78c6487366d275ba3d4288952ed817f4f9c56ab50e9e8252d7b14b96397512f6e6ab21d3c156
-
Filesize
255KB
MD57343afbfa29eb8f4a5e5a62829b55e5a
SHA14075ad569234535ff5ce5f48f976e30d2e7e81e1
SHA256460882503c835ff30e039be82abb29ba9806fa179c6aaa77a77f4835cf60cf50
SHA512a91567bd0dbb3935f1da4db92cf6ce67aa89562de4f8d04963ae78c6487366d275ba3d4288952ed817f4f9c56ab50e9e8252d7b14b96397512f6e6ab21d3c156
-
Filesize
255KB
MD57343afbfa29eb8f4a5e5a62829b55e5a
SHA14075ad569234535ff5ce5f48f976e30d2e7e81e1
SHA256460882503c835ff30e039be82abb29ba9806fa179c6aaa77a77f4835cf60cf50
SHA512a91567bd0dbb3935f1da4db92cf6ce67aa89562de4f8d04963ae78c6487366d275ba3d4288952ed817f4f9c56ab50e9e8252d7b14b96397512f6e6ab21d3c156
-
Filesize
255KB
MD5d67ab745d84700e0d2382bee2b9d0e45
SHA1cbe009b756f3cc9828cac23d19142a71dc242759
SHA2560f757decde4c123b7316ba153fc3013db723d40f1f7e179b7553da78978ae8b5
SHA5120429f32f179b834839937f3ec4ffe5e65f81ed45c58762e120e91afdb5b69d662a163c6e4145c7855568031ebec5602f02a79d08fdf720c6280b7e4939318954
-
Filesize
255KB
MD5d67ab745d84700e0d2382bee2b9d0e45
SHA1cbe009b756f3cc9828cac23d19142a71dc242759
SHA2560f757decde4c123b7316ba153fc3013db723d40f1f7e179b7553da78978ae8b5
SHA5120429f32f179b834839937f3ec4ffe5e65f81ed45c58762e120e91afdb5b69d662a163c6e4145c7855568031ebec5602f02a79d08fdf720c6280b7e4939318954
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5c719e4442b92363bc523aa9bdde02e25
SHA141217499a4dcf25a0c758ce9965e3ce8ef92f664
SHA2562169e9d7c6a99560db0dbd8849877bc99ef58971a835563bbf0c3f3c19ffa024
SHA512c8b73f35355dfae07de1d4bc40aeaa733a0d20f2058d35411e1f994fda6c89db39f35451faecd573d84c1ed1e238fec7856b7d6b9d03b45d069cfc3d40471b8f
-
Filesize
255KB
MD5c719e4442b92363bc523aa9bdde02e25
SHA141217499a4dcf25a0c758ce9965e3ce8ef92f664
SHA2562169e9d7c6a99560db0dbd8849877bc99ef58971a835563bbf0c3f3c19ffa024
SHA512c8b73f35355dfae07de1d4bc40aeaa733a0d20f2058d35411e1f994fda6c89db39f35451faecd573d84c1ed1e238fec7856b7d6b9d03b45d069cfc3d40471b8f
-
Filesize
255KB
MD555e56f498ebac3b9343ec7b52e4e3611
SHA1e698d7a008e4453dee4109ce7694c929f58b6549
SHA256453e5594280fa0cc5dfa666c462166a42d384a663072eeb69885108712c7ea5f
SHA5121c63b3194a3dd645193e23711af2b886919cce0812fd5c1625e3904a0a95533977cb3fa6e9e59eb6cc80480040cc13398ddd13990ed3da312088bb9c57e9a897
-
Filesize
255KB
MD57343afbfa29eb8f4a5e5a62829b55e5a
SHA14075ad569234535ff5ce5f48f976e30d2e7e81e1
SHA256460882503c835ff30e039be82abb29ba9806fa179c6aaa77a77f4835cf60cf50
SHA512a91567bd0dbb3935f1da4db92cf6ce67aa89562de4f8d04963ae78c6487366d275ba3d4288952ed817f4f9c56ab50e9e8252d7b14b96397512f6e6ab21d3c156
-
Filesize
255KB
MD57343afbfa29eb8f4a5e5a62829b55e5a
SHA14075ad569234535ff5ce5f48f976e30d2e7e81e1
SHA256460882503c835ff30e039be82abb29ba9806fa179c6aaa77a77f4835cf60cf50
SHA512a91567bd0dbb3935f1da4db92cf6ce67aa89562de4f8d04963ae78c6487366d275ba3d4288952ed817f4f9c56ab50e9e8252d7b14b96397512f6e6ab21d3c156
-
Filesize
255KB
MD5d67ab745d84700e0d2382bee2b9d0e45
SHA1cbe009b756f3cc9828cac23d19142a71dc242759
SHA2560f757decde4c123b7316ba153fc3013db723d40f1f7e179b7553da78978ae8b5
SHA5120429f32f179b834839937f3ec4ffe5e65f81ed45c58762e120e91afdb5b69d662a163c6e4145c7855568031ebec5602f02a79d08fdf720c6280b7e4939318954