62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554

Analysis

max time kernel
153s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
Size

255KB
MD5

0d0c4e16d2ffed16045e3bebf2a7c049
SHA1

04ff66ee578c4c66912365ea3784b67f986eb6f4
SHA256

62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554
SHA512

e3325cf227aa988a694cc49b08c539607c78426c8c916096822230f765605d8cf6d8a20bf306b9f22f16003fbf320ccd6701922782cd26b102ac2a8e6a35c43b
SSDEEP

6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBWFv6l:Plf5j6zCNa0xeE3mW

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	trybeaumyl.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	trybeaumyl.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	trybeaumyl.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	trybeaumyl.exe

Executes dropped EXE 5 IoCs

pid	Process
1732	trybeaumyl.exe
840	gsiztihimsxhbug.exe
1464	qgubxmax.exe
1280	dytvkfwoskowb.exe
2040	qgubxmax.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/memory/1732-62-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1964-59-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00090000000126f1-63.dat	upx
behavioral1/files/0x000800000001313e-66.dat	upx
behavioral1/files/0x000700000001318e-70.dat	upx
behavioral1/files/0x00090000000126f1-76.dat	upx
behavioral1/files/0x000700000001318e-77.dat	upx
behavioral1/files/0x000800000001313e-79.dat	upx
behavioral1/files/0x000800000001313e-73.dat	upx
behavioral1/files/0x000800000001313e-72.dat	upx
behavioral1/files/0x000800000001313e-69.dat	upx
behavioral1/files/0x00090000000126f1-65.dat	upx
behavioral1/files/0x000700000001318e-81.dat	upx
behavioral1/memory/1964-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/840-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1464-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1280-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2040-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1732-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/840-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1464-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1280-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2040-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000600000001420d-101.dat	upx
behavioral1/files/0x000600000001422f-102.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1732	trybeaumyl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	trybeaumyl.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zmlqefzu = "gsiztihimsxhbug.exe"	gsiztihimsxhbug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dytvkfwoskowb.exe"	gsiztihimsxhbug.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	gsiztihimsxhbug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jktdysvg = "trybeaumyl.exe"	gsiztihimsxhbug.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	qgubxmax.exe
File opened (read-only)	\??\b:	qgubxmax.exe
File opened (read-only)	\??\s:	qgubxmax.exe
File opened (read-only)	\??\g:	trybeaumyl.exe
File opened (read-only)	\??\n:	trybeaumyl.exe
File opened (read-only)	\??\n:	qgubxmax.exe
File opened (read-only)	\??\u:	qgubxmax.exe
File opened (read-only)	\??\b:	trybeaumyl.exe
File opened (read-only)	\??\s:	qgubxmax.exe
File opened (read-only)	\??\k:	qgubxmax.exe
File opened (read-only)	\??\x:	qgubxmax.exe
File opened (read-only)	\??\h:	qgubxmax.exe
File opened (read-only)	\??\j:	qgubxmax.exe
File opened (read-only)	\??\e:	trybeaumyl.exe
File opened (read-only)	\??\s:	trybeaumyl.exe
File opened (read-only)	\??\e:	qgubxmax.exe
File opened (read-only)	\??\i:	qgubxmax.exe
File opened (read-only)	\??\r:	qgubxmax.exe
File opened (read-only)	\??\u:	trybeaumyl.exe
File opened (read-only)	\??\v:	qgubxmax.exe
File opened (read-only)	\??\x:	qgubxmax.exe
File opened (read-only)	\??\h:	qgubxmax.exe
File opened (read-only)	\??\t:	trybeaumyl.exe
File opened (read-only)	\??\u:	qgubxmax.exe
File opened (read-only)	\??\p:	qgubxmax.exe
File opened (read-only)	\??\a:	qgubxmax.exe
File opened (read-only)	\??\e:	qgubxmax.exe
File opened (read-only)	\??\j:	qgubxmax.exe
File opened (read-only)	\??\q:	trybeaumyl.exe
File opened (read-only)	\??\v:	trybeaumyl.exe
File opened (read-only)	\??\x:	trybeaumyl.exe
File opened (read-only)	\??\z:	qgubxmax.exe
File opened (read-only)	\??\p:	qgubxmax.exe
File opened (read-only)	\??\w:	qgubxmax.exe
File opened (read-only)	\??\a:	trybeaumyl.exe
File opened (read-only)	\??\j:	trybeaumyl.exe
File opened (read-only)	\??\y:	qgubxmax.exe
File opened (read-only)	\??\z:	trybeaumyl.exe
File opened (read-only)	\??\n:	qgubxmax.exe
File opened (read-only)	\??\y:	qgubxmax.exe
File opened (read-only)	\??\o:	qgubxmax.exe
File opened (read-only)	\??\f:	trybeaumyl.exe
File opened (read-only)	\??\k:	trybeaumyl.exe
File opened (read-only)	\??\y:	trybeaumyl.exe
File opened (read-only)	\??\f:	qgubxmax.exe
File opened (read-only)	\??\g:	qgubxmax.exe
File opened (read-only)	\??\v:	qgubxmax.exe
File opened (read-only)	\??\z:	qgubxmax.exe
File opened (read-only)	\??\h:	trybeaumyl.exe
File opened (read-only)	\??\w:	trybeaumyl.exe
File opened (read-only)	\??\m:	qgubxmax.exe
File opened (read-only)	\??\q:	qgubxmax.exe
File opened (read-only)	\??\r:	trybeaumyl.exe
File opened (read-only)	\??\g:	qgubxmax.exe
File opened (read-only)	\??\l:	qgubxmax.exe
File opened (read-only)	\??\t:	qgubxmax.exe
File opened (read-only)	\??\t:	qgubxmax.exe
File opened (read-only)	\??\f:	qgubxmax.exe
File opened (read-only)	\??\i:	qgubxmax.exe
File opened (read-only)	\??\b:	qgubxmax.exe
File opened (read-only)	\??\w:	qgubxmax.exe
File opened (read-only)	\??\k:	qgubxmax.exe
File opened (read-only)	\??\m:	qgubxmax.exe
File opened (read-only)	\??\i:	trybeaumyl.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	trybeaumyl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	trybeaumyl.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1732-62-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1964-59-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1964-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/840-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1464-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1280-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2040-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1732-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/840-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1464-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1280-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2040-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gsiztihimsxhbug.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File opened for modification	C:\Windows\SysWOW64\gsiztihimsxhbug.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File created	C:\Windows\SysWOW64\dytvkfwoskowb.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File opened for modification	C:\Windows\SysWOW64\dytvkfwoskowb.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	trybeaumyl.exe
File created	C:\Windows\SysWOW64\trybeaumyl.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File opened for modification	C:\Windows\SysWOW64\trybeaumyl.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File created	C:\Windows\SysWOW64\qgubxmax.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File opened for modification	C:\Windows\SysWOW64\qgubxmax.exe	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qgubxmax.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qgubxmax.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qgubxmax.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qgubxmax.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qgubxmax.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qgubxmax.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qgubxmax.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	qgubxmax.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	qgubxmax.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	trybeaumyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	trybeaumyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC67C1597DBC5B8C17CE2EC9437CC"	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	trybeaumyl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	trybeaumyl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB12D4492399952BDBAA632EDD4CE"	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1644	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
2040	qgubxmax.exe
2040	qgubxmax.exe
2040	qgubxmax.exe
2040	qgubxmax.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
840	gsiztihimsxhbug.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
2040	qgubxmax.exe
2040	qgubxmax.exe
2040	qgubxmax.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
1732	trybeaumyl.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
840	gsiztihimsxhbug.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
1464	qgubxmax.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
1280	dytvkfwoskowb.exe
2040	qgubxmax.exe
2040	qgubxmax.exe
2040	qgubxmax.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1644	WINWORD.EXE
1644	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1732	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	28
PID 1964 wrote to memory of 1732	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	28
PID 1964 wrote to memory of 1732	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	28
PID 1964 wrote to memory of 1732	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	28
PID 1964 wrote to memory of 840	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	29
PID 1964 wrote to memory of 840	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	29
PID 1964 wrote to memory of 840	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	29
PID 1964 wrote to memory of 840	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	29
PID 1964 wrote to memory of 1464	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	30
PID 1964 wrote to memory of 1464	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	30
PID 1964 wrote to memory of 1464	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	30
PID 1964 wrote to memory of 1464	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	30
PID 1964 wrote to memory of 1280	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	32
PID 1964 wrote to memory of 1280	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	32
PID 1964 wrote to memory of 1280	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	32
PID 1964 wrote to memory of 1280	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	32
PID 1732 wrote to memory of 2040	1732	trybeaumyl.exe	31
PID 1732 wrote to memory of 2040	1732	trybeaumyl.exe	31
PID 1732 wrote to memory of 2040	1732	trybeaumyl.exe	31
PID 1732 wrote to memory of 2040	1732	trybeaumyl.exe	31
PID 1964 wrote to memory of 1644	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	33
PID 1964 wrote to memory of 1644	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	33
PID 1964 wrote to memory of 1644	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	33
PID 1964 wrote to memory of 1644	1964	62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe	33
PID 1644 wrote to memory of 316	1644	WINWORD.EXE	37
PID 1644 wrote to memory of 316	1644	WINWORD.EXE	37
PID 1644 wrote to memory of 316	1644	WINWORD.EXE	37
PID 1644 wrote to memory of 316	1644	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe
"C:\Users\Admin\AppData\Local\Temp\62e622d392ab829ae0a9ce33804105cabc4283ecc18f4d4e3ac48f32c5f9c554.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\trybeaumyl.exe
  trybeaumyl.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\qgubxmax.exe
    C:\Windows\system32\qgubxmax.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2040
- C:\Windows\SysWOW64\gsiztihimsxhbug.exe
  gsiztihimsxhbug.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:840
- C:\Windows\SysWOW64\qgubxmax.exe
  qgubxmax.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1464
- C:\Windows\SysWOW64\dytvkfwoskowb.exe
  dytvkfwoskowb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1280
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
076539f74a40df28761c08e18b80e890

SHA1
d9614893019b3be88eacca7c186e6b10c0b8953f

SHA256
e96fd1812cee582d16dce3cc17e713e0c82c1b534cb8cfb0b4ec0800d250feec

SHA512
67af1347e644859eaaeb0ff47c3971718aec1f52f2e54a5f6cf95141e059679f8be2029d41ac9ec34f41fcca221ca2ee81da89910a2b1b1cca5d829b39889b3c

Download Submit
C:\Windows\SysWOW64\dytvkfwoskowb.exe

Filesize
255KB

MD5
68c36088f745d708e134705311845d97

SHA1
31a35f50a9a6a8e0618b7469cdf8b0e0f387adb9

SHA256
b32c6f7c3c7bd8f55e478f86677ab5bc1c436155910d42a812e0f6200898142a

SHA512
c5a9628335090dc8ec9e6eb9da5f0b8c8ecc32da806438d85027e8552a6bec3402836eb6ca7fe2392d51f7878e60bae41729eebb2629508163ac85d234fb72c2

Download Submit
C:\Windows\SysWOW64\dytvkfwoskowb.exe

Filesize
255KB

MD5
68c36088f745d708e134705311845d97

SHA1
31a35f50a9a6a8e0618b7469cdf8b0e0f387adb9

SHA256
b32c6f7c3c7bd8f55e478f86677ab5bc1c436155910d42a812e0f6200898142a

SHA512
c5a9628335090dc8ec9e6eb9da5f0b8c8ecc32da806438d85027e8552a6bec3402836eb6ca7fe2392d51f7878e60bae41729eebb2629508163ac85d234fb72c2

Download Submit
C:\Windows\SysWOW64\gsiztihimsxhbug.exe

Filesize
255KB

MD5
b0ee6aa52b128c8f3beb4dbd9468e419

SHA1
716d7c95648f25512187fd4526ed0b79b21f85be

SHA256
fbce7ac889f93d1b13880e81177960286031fee7379026c39211ce9853c58203

SHA512
24aca3270cd93fbfa6f38c9e36c4c4799a7bd1a955ec49c70e0c9e03830cf55f39a54eb39005b100410a5afab76d61eb354de6fb3b09c50da7693352b7b826ed

Download Submit
C:\Windows\SysWOW64\gsiztihimsxhbug.exe

Filesize
255KB

MD5
b0ee6aa52b128c8f3beb4dbd9468e419

SHA1
716d7c95648f25512187fd4526ed0b79b21f85be

SHA256
fbce7ac889f93d1b13880e81177960286031fee7379026c39211ce9853c58203

SHA512
24aca3270cd93fbfa6f38c9e36c4c4799a7bd1a955ec49c70e0c9e03830cf55f39a54eb39005b100410a5afab76d61eb354de6fb3b09c50da7693352b7b826ed

Download Submit
C:\Windows\SysWOW64\qgubxmax.exe

Filesize
255KB

MD5
2ee8688214e4c93af893acbebcb750db

SHA1
a9309c3fc6a19ef05beaebae04ad37dd809431af

SHA256
072566611c08bc55f462cf383c310e011ac51d9ab1095e5dcd165377c815ffc2

SHA512
8e83c15f9b4b98ebfa6fb2cbd8538f6c09a6f35a219848cd4ea6a28604cfb703a085fa1b85ef8184e135c79aa03634bc51462bf3f7cb3333f7c37ca0310dbadf

Download Submit
C:\Windows\SysWOW64\qgubxmax.exe

Filesize
255KB

MD5
2ee8688214e4c93af893acbebcb750db

SHA1
a9309c3fc6a19ef05beaebae04ad37dd809431af

SHA256
072566611c08bc55f462cf383c310e011ac51d9ab1095e5dcd165377c815ffc2

SHA512
8e83c15f9b4b98ebfa6fb2cbd8538f6c09a6f35a219848cd4ea6a28604cfb703a085fa1b85ef8184e135c79aa03634bc51462bf3f7cb3333f7c37ca0310dbadf

Download Submit
C:\Windows\SysWOW64\qgubxmax.exe

Filesize
255KB

MD5
2ee8688214e4c93af893acbebcb750db

SHA1
a9309c3fc6a19ef05beaebae04ad37dd809431af

SHA256
072566611c08bc55f462cf383c310e011ac51d9ab1095e5dcd165377c815ffc2

SHA512
8e83c15f9b4b98ebfa6fb2cbd8538f6c09a6f35a219848cd4ea6a28604cfb703a085fa1b85ef8184e135c79aa03634bc51462bf3f7cb3333f7c37ca0310dbadf

Download Submit
C:\Windows\SysWOW64\trybeaumyl.exe

Filesize
255KB

MD5
b93c3ccdceff2e9d5de958599280c11c

SHA1
3d15f6001da3a5e2ccd74d76b4e71d7c143624d3

SHA256
e035422e6946611a8cae2c72cf8eceb9a8901b9755ad8e4497ae2dcd23a3425f

SHA512
10954debc48323af253eba05a8a5d226dd212b4f2dadddce031bcbc59a5b980284685e6e10fe831157d37e7f3a35df206abbb69e06f13f5560fcf197191b35b7

Download Submit
C:\Windows\SysWOW64\trybeaumyl.exe

Filesize
255KB

MD5
b93c3ccdceff2e9d5de958599280c11c

SHA1
3d15f6001da3a5e2ccd74d76b4e71d7c143624d3

SHA256
e035422e6946611a8cae2c72cf8eceb9a8901b9755ad8e4497ae2dcd23a3425f

SHA512
10954debc48323af253eba05a8a5d226dd212b4f2dadddce031bcbc59a5b980284685e6e10fe831157d37e7f3a35df206abbb69e06f13f5560fcf197191b35b7

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
6e5dded178dfa1ad9b7ef5e94f2288fd

SHA1
5a65eb1e6bc100e8fae62457eea4dabe2385cb1a

SHA256
a9c641d34a222c09fcfaccbaa1c4a3353fa020fea027ab9d60d76ca377950027

SHA512
dbf32ada9358916ddf10e400e851d2fc14b880ea072a2ddb5c36f8a3b02cd02c75dc529fe9f7f24d470eb0534f53a728e895c76c4706dbfce14bc4d33fd7aeae

Download Submit
\Windows\SysWOW64\dytvkfwoskowb.exe

Filesize
255KB

MD5
68c36088f745d708e134705311845d97

SHA1
31a35f50a9a6a8e0618b7469cdf8b0e0f387adb9

SHA256
b32c6f7c3c7bd8f55e478f86677ab5bc1c436155910d42a812e0f6200898142a

SHA512
c5a9628335090dc8ec9e6eb9da5f0b8c8ecc32da806438d85027e8552a6bec3402836eb6ca7fe2392d51f7878e60bae41729eebb2629508163ac85d234fb72c2

Download Submit
\Windows\SysWOW64\gsiztihimsxhbug.exe

Filesize
255KB

MD5
b0ee6aa52b128c8f3beb4dbd9468e419

SHA1
716d7c95648f25512187fd4526ed0b79b21f85be

SHA256
fbce7ac889f93d1b13880e81177960286031fee7379026c39211ce9853c58203

SHA512
24aca3270cd93fbfa6f38c9e36c4c4799a7bd1a955ec49c70e0c9e03830cf55f39a54eb39005b100410a5afab76d61eb354de6fb3b09c50da7693352b7b826ed

Download Submit
\Windows\SysWOW64\qgubxmax.exe

Filesize
255KB

MD5
2ee8688214e4c93af893acbebcb750db

SHA1
a9309c3fc6a19ef05beaebae04ad37dd809431af

SHA256
072566611c08bc55f462cf383c310e011ac51d9ab1095e5dcd165377c815ffc2

SHA512
8e83c15f9b4b98ebfa6fb2cbd8538f6c09a6f35a219848cd4ea6a28604cfb703a085fa1b85ef8184e135c79aa03634bc51462bf3f7cb3333f7c37ca0310dbadf

Download Submit
\Windows\SysWOW64\qgubxmax.exe

Filesize
255KB

MD5
2ee8688214e4c93af893acbebcb750db

SHA1
a9309c3fc6a19ef05beaebae04ad37dd809431af

SHA256
072566611c08bc55f462cf383c310e011ac51d9ab1095e5dcd165377c815ffc2

SHA512
8e83c15f9b4b98ebfa6fb2cbd8538f6c09a6f35a219848cd4ea6a28604cfb703a085fa1b85ef8184e135c79aa03634bc51462bf3f7cb3333f7c37ca0310dbadf

Download Submit
\Windows\SysWOW64\trybeaumyl.exe

Filesize
255KB

MD5
b93c3ccdceff2e9d5de958599280c11c

SHA1
3d15f6001da3a5e2ccd74d76b4e71d7c143624d3

SHA256
e035422e6946611a8cae2c72cf8eceb9a8901b9755ad8e4497ae2dcd23a3425f

SHA512
10954debc48323af253eba05a8a5d226dd212b4f2dadddce031bcbc59a5b980284685e6e10fe831157d37e7f3a35df206abbb69e06f13f5560fcf197191b35b7

Download Submit
memory/840-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/840-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1280-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1280-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1464-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1464-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1644-88-0x0000000072931000-0x0000000072934000-memory.dmp

Filesize
12KB

Download
memory/1644-104-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1644-89-0x00000000703B1000-0x00000000703B3000-memory.dmp

Filesize
8KB

Download
memory/1644-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1644-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1644-93-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1644-99-0x000000007139D000-0x00000000713A8000-memory.dmp

Filesize
44KB

Download
memory/1732-62-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1732-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1964-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1964-60-0x0000000003320000-0x00000000033C0000-memory.dmp

Filesize
640KB

Download
memory/1964-59-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2040-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2040-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download