de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 16:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
Size

255KB
MD5

0e57595d58cb73aaa0e1337ea7f219a0
SHA1

73c20152b48503aa6000967676aff594b9bdde57
SHA256

de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0
SHA512

96e60ee445082ae044943aec862cc51cbabbb911eb52b8f517f698b931cfe0da6c25d28eb2db44b285a16363a2225f5586e3176db2d84dcfc8f2d85b90bd61af
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJl:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIA

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bnutuyqood.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bnutuyqood.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bnutuyqood.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bnutuyqood.exe

Executes dropped EXE 5 IoCs

pid	Process
1892	bnutuyqood.exe
972	ljuvhkqkbogwrom.exe
320	uygthywy.exe
1732	gmpgzbtuvniyd.exe
2008	uygthywy.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0008000000005c51-56.dat	upx
behavioral1/files/0x0008000000005c51-58.dat	upx
behavioral1/files/0x0008000000014219-59.dat	upx
behavioral1/files/0x0008000000014219-62.dat	upx
behavioral1/files/0x000700000001435a-65.dat	upx
behavioral1/files/0x000700000001435a-67.dat	upx
behavioral1/files/0x0008000000005c51-64.dat	upx
behavioral1/files/0x0008000000014219-69.dat	upx
behavioral1/files/0x00060000000143a3-70.dat	upx
behavioral1/files/0x00060000000143a3-72.dat	upx
behavioral1/files/0x000700000001435a-73.dat	upx
behavioral1/files/0x000700000001435a-77.dat	upx
behavioral1/files/0x00060000000143a3-79.dat	upx
behavioral1/files/0x000700000001435a-75.dat	upx
behavioral1/memory/2032-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1892-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/972-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/320-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1732-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2008-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0006000000014b90-95.dat	upx
behavioral1/files/0x0006000000014bb0-96.dat	upx
behavioral1/memory/1892-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/972-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/320-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1732-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2008-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2008-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/320-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
1892	bnutuyqood.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bnutuyqood.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ljuvhkqkbogwrom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\grfhqhev = "bnutuyqood.exe"	ljuvhkqkbogwrom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hlcyoowg = "ljuvhkqkbogwrom.exe"	ljuvhkqkbogwrom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gmpgzbtuvniyd.exe"	ljuvhkqkbogwrom.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	bnutuyqood.exe
File opened (read-only)	\??\q:	bnutuyqood.exe
File opened (read-only)	\??\y:	bnutuyqood.exe
File opened (read-only)	\??\u:	uygthywy.exe
File opened (read-only)	\??\p:	uygthywy.exe
File opened (read-only)	\??\x:	bnutuyqood.exe
File opened (read-only)	\??\h:	uygthywy.exe
File opened (read-only)	\??\q:	uygthywy.exe
File opened (read-only)	\??\a:	uygthywy.exe
File opened (read-only)	\??\l:	uygthywy.exe
File opened (read-only)	\??\i:	uygthywy.exe
File opened (read-only)	\??\y:	uygthywy.exe
File opened (read-only)	\??\i:	uygthywy.exe
File opened (read-only)	\??\w:	uygthywy.exe
File opened (read-only)	\??\x:	uygthywy.exe
File opened (read-only)	\??\z:	uygthywy.exe
File opened (read-only)	\??\p:	bnutuyqood.exe
File opened (read-only)	\??\r:	bnutuyqood.exe
File opened (read-only)	\??\a:	uygthywy.exe
File opened (read-only)	\??\b:	uygthywy.exe
File opened (read-only)	\??\v:	bnutuyqood.exe
File opened (read-only)	\??\t:	uygthywy.exe
File opened (read-only)	\??\g:	uygthywy.exe
File opened (read-only)	\??\k:	bnutuyqood.exe
File opened (read-only)	\??\t:	bnutuyqood.exe
File opened (read-only)	\??\m:	uygthywy.exe
File opened (read-only)	\??\r:	uygthywy.exe
File opened (read-only)	\??\s:	bnutuyqood.exe
File opened (read-only)	\??\e:	uygthywy.exe
File opened (read-only)	\??\r:	uygthywy.exe
File opened (read-only)	\??\n:	uygthywy.exe
File opened (read-only)	\??\e:	uygthywy.exe
File opened (read-only)	\??\n:	uygthywy.exe
File opened (read-only)	\??\g:	bnutuyqood.exe
File opened (read-only)	\??\i:	bnutuyqood.exe
File opened (read-only)	\??\v:	uygthywy.exe
File opened (read-only)	\??\l:	uygthywy.exe
File opened (read-only)	\??\w:	uygthywy.exe
File opened (read-only)	\??\b:	uygthywy.exe
File opened (read-only)	\??\h:	uygthywy.exe
File opened (read-only)	\??\q:	uygthywy.exe
File opened (read-only)	\??\h:	bnutuyqood.exe
File opened (read-only)	\??\l:	bnutuyqood.exe
File opened (read-only)	\??\z:	bnutuyqood.exe
File opened (read-only)	\??\f:	uygthywy.exe
File opened (read-only)	\??\m:	bnutuyqood.exe
File opened (read-only)	\??\j:	uygthywy.exe
File opened (read-only)	\??\a:	bnutuyqood.exe
File opened (read-only)	\??\o:	uygthywy.exe
File opened (read-only)	\??\s:	uygthywy.exe
File opened (read-only)	\??\y:	uygthywy.exe
File opened (read-only)	\??\n:	bnutuyqood.exe
File opened (read-only)	\??\o:	bnutuyqood.exe
File opened (read-only)	\??\w:	bnutuyqood.exe
File opened (read-only)	\??\f:	uygthywy.exe
File opened (read-only)	\??\k:	uygthywy.exe
File opened (read-only)	\??\m:	uygthywy.exe
File opened (read-only)	\??\s:	uygthywy.exe
File opened (read-only)	\??\v:	uygthywy.exe
File opened (read-only)	\??\j:	bnutuyqood.exe
File opened (read-only)	\??\k:	uygthywy.exe
File opened (read-only)	\??\x:	uygthywy.exe
File opened (read-only)	\??\z:	uygthywy.exe
File opened (read-only)	\??\t:	uygthywy.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	bnutuyqood.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	bnutuyqood.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2032-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2032-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1892-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/972-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/320-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1732-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2008-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1892-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/972-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/320-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1732-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2008-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2008-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/320-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uygthywy.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File created	C:\Windows\SysWOW64\gmpgzbtuvniyd.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File opened for modification	C:\Windows\SysWOW64\gmpgzbtuvniyd.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File created	C:\Windows\SysWOW64\uygthywy.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File opened for modification	C:\Windows\SysWOW64\bnutuyqood.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File created	C:\Windows\SysWOW64\ljuvhkqkbogwrom.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File opened for modification	C:\Windows\SysWOW64\ljuvhkqkbogwrom.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bnutuyqood.exe
File created	C:\Windows\SysWOW64\bnutuyqood.exe	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	uygthywy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	uygthywy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	uygthywy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	uygthywy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	uygthywy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	uygthywy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	uygthywy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	uygthywy.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C769D2C82206D4277A077272CAA7D8164DD"	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF8A4F5B856F9032D75A7E91BC93E6345932674E6237D790"	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	bnutuyqood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	bnutuyqood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	bnutuyqood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	bnutuyqood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	bnutuyqood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	bnutuyqood.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1472	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
320	uygthywy.exe
320	uygthywy.exe
320	uygthywy.exe
320	uygthywy.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
2008	uygthywy.exe
2008	uygthywy.exe
2008	uygthywy.exe
2008	uygthywy.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
972	ljuvhkqkbogwrom.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: 33	672	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	672	AUDIODG.EXE
Token: 33	672	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	672	AUDIODG.EXE
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	1904	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe
Token: SeShutdownPrivilege	2004	explorer.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
320	uygthywy.exe
320	uygthywy.exe
320	uygthywy.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
2008	uygthywy.exe
2008	uygthywy.exe
2008	uygthywy.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
1892	bnutuyqood.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
972	ljuvhkqkbogwrom.exe
320	uygthywy.exe
320	uygthywy.exe
320	uygthywy.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
1732	gmpgzbtuvniyd.exe
2008	uygthywy.exe
2008	uygthywy.exe
2008	uygthywy.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
1904	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe
2004	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1472	WINWORD.EXE
1472	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1892	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	26
PID 2032 wrote to memory of 1892	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	26
PID 2032 wrote to memory of 1892	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	26
PID 2032 wrote to memory of 1892	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	26
PID 2032 wrote to memory of 972	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	27
PID 2032 wrote to memory of 972	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	27
PID 2032 wrote to memory of 972	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	27
PID 2032 wrote to memory of 972	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	27
PID 2032 wrote to memory of 320	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	28
PID 2032 wrote to memory of 320	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	28
PID 2032 wrote to memory of 320	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	28
PID 2032 wrote to memory of 320	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	28
PID 2032 wrote to memory of 1732	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	29
PID 2032 wrote to memory of 1732	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	29
PID 2032 wrote to memory of 1732	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	29
PID 2032 wrote to memory of 1732	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	29
PID 1892 wrote to memory of 2008	1892	bnutuyqood.exe	30
PID 1892 wrote to memory of 2008	1892	bnutuyqood.exe	30
PID 1892 wrote to memory of 2008	1892	bnutuyqood.exe	30
PID 1892 wrote to memory of 2008	1892	bnutuyqood.exe	30
PID 2032 wrote to memory of 1472	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	31
PID 2032 wrote to memory of 1472	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	31
PID 2032 wrote to memory of 1472	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	31
PID 2032 wrote to memory of 1472	2032	de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe	31

C:\Users\Admin\AppData\Local\Temp\de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe
"C:\Users\Admin\AppData\Local\Temp\de656fea662c03345514943c58798a62f8a93d419c29d246c3edbc0392eb75d0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\bnutuyqood.exe
  bnutuyqood.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\uygthywy.exe
    C:\Windows\system32\uygthywy.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2008
- C:\Windows\SysWOW64\ljuvhkqkbogwrom.exe
  ljuvhkqkbogwrom.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:972
- C:\Windows\SysWOW64\uygthywy.exe
  uygthywy.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:320
- C:\Windows\SysWOW64\gmpgzbtuvniyd.exe
  gmpgzbtuvniyd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1732
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1472

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
fc549e2fe8ce2c7c7b449bd71b08f3e4

SHA1
46396a40e79b3abddd13e0d542e0577a79657098

SHA256
379b5c4a97b10ce34d9e5e13b8eaf84d79ee144cc9470991decd0bb7e873fb0a

SHA512
707c8291e37d7fa4f82dd4ea6003cdf53987ade1feb0d33ab730f1b2ed7230ce3a2d98bdb5f693e818c3a946b1de2646d2761297f376717ab0d4e80799d18593

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
c41d30e007bb6aaa12dc5e49a0b018cd

SHA1
3782308eea3133f5d2ae71b99987450dec2da04f

SHA256
052c073922367b43df96daa67448555a966959a309d8200e85f554d4e7d4bdfd

SHA512
0e1b9c66fd207fc5a38a3aeba77709b19739fe8d652143964dc1911b5629c5aa3ab5629fcca02b9d8a163ae604897c32adeae7eeeeff0d331a66dad597f76628

Download Submit
C:\Windows\SysWOW64\bnutuyqood.exe

Filesize
255KB

MD5
c9d3cbdaefda2ed38aec88d034f8b92f

SHA1
e52709140a880f528d07105f69de3282d30af792

SHA256
6c4399eb370d451dc1d3e3e348e3f248be0d0c078e970f8bb2f5547afd074c19

SHA512
f8db752fd63f6bfc015dd69342c046c27e4e4d6da6e34473c8f092579a3910aae8742a7cd9f82f3d7cc7f93a0470b5adfd90d787489611505a9c1b20fb12b370

Download Submit
C:\Windows\SysWOW64\bnutuyqood.exe

Filesize
255KB

MD5
c9d3cbdaefda2ed38aec88d034f8b92f

SHA1
e52709140a880f528d07105f69de3282d30af792

SHA256
6c4399eb370d451dc1d3e3e348e3f248be0d0c078e970f8bb2f5547afd074c19

SHA512
f8db752fd63f6bfc015dd69342c046c27e4e4d6da6e34473c8f092579a3910aae8742a7cd9f82f3d7cc7f93a0470b5adfd90d787489611505a9c1b20fb12b370

Download Submit
C:\Windows\SysWOW64\gmpgzbtuvniyd.exe

Filesize
255KB

MD5
f6fa5b865b7a2398aefb1b84da15d507

SHA1
f6246ed6d18716210aaac3d95f9a77478ab2892b

SHA256
f65b2581752ae0f711c91bb05e348a93416bb351a1691c19ba97b4ea3793d349

SHA512
3e54df6315343787004f9428ee10d6c081625e47f2342be57a0c68f35a7db2af0ed0563a0c32888409901b3c68fec6be7dc11a244f77bde210048c45829a0417

Download Submit
C:\Windows\SysWOW64\gmpgzbtuvniyd.exe

Filesize
255KB

MD5
f6fa5b865b7a2398aefb1b84da15d507

SHA1
f6246ed6d18716210aaac3d95f9a77478ab2892b

SHA256
f65b2581752ae0f711c91bb05e348a93416bb351a1691c19ba97b4ea3793d349

SHA512
3e54df6315343787004f9428ee10d6c081625e47f2342be57a0c68f35a7db2af0ed0563a0c32888409901b3c68fec6be7dc11a244f77bde210048c45829a0417

Download Submit
C:\Windows\SysWOW64\ljuvhkqkbogwrom.exe

Filesize
255KB

MD5
5db9175409663bca6aa076cc86ad79d4

SHA1
f158fe3260b71789e3bc877d7c7799c58a7a49cb

SHA256
c59513cb7249baf047107c89d34bf180383a22447d1b6648195a2d80da3fd03d

SHA512
235d35356886ac3ff1de0a09e05e793daa9a7d998c48936080b9b164330c3c53cc1769de4bd9a5c95ac0240df5731c469909ed734f5e048c8bc82c3499f69d70

Download Submit
C:\Windows\SysWOW64\ljuvhkqkbogwrom.exe

Filesize
255KB

MD5
5db9175409663bca6aa076cc86ad79d4

SHA1
f158fe3260b71789e3bc877d7c7799c58a7a49cb

SHA256
c59513cb7249baf047107c89d34bf180383a22447d1b6648195a2d80da3fd03d

SHA512
235d35356886ac3ff1de0a09e05e793daa9a7d998c48936080b9b164330c3c53cc1769de4bd9a5c95ac0240df5731c469909ed734f5e048c8bc82c3499f69d70

Download Submit
C:\Windows\SysWOW64\uygthywy.exe

Filesize
255KB

MD5
c121e2118ca19429cdf0e20b5650ac72

SHA1
3d5ebe04ddecc8c57fa447def0a558bc7910bb7e

SHA256
190f75b7f1d6392a0b5b48cd597d32b26c52aa35d1d91ed22cbb9f08e65f30f8

SHA512
01a1bcb295ab597f578ccd2de556ec4774d9258da986477a80717b79266ff811529ec0fcbef564a33328f0769d30c80f2b6c88f42aa4299944e9ad0ea34b5c9b

Download Submit
C:\Windows\SysWOW64\uygthywy.exe

Filesize
255KB

MD5
c121e2118ca19429cdf0e20b5650ac72

SHA1
3d5ebe04ddecc8c57fa447def0a558bc7910bb7e

SHA256
190f75b7f1d6392a0b5b48cd597d32b26c52aa35d1d91ed22cbb9f08e65f30f8

SHA512
01a1bcb295ab597f578ccd2de556ec4774d9258da986477a80717b79266ff811529ec0fcbef564a33328f0769d30c80f2b6c88f42aa4299944e9ad0ea34b5c9b

Download Submit
C:\Windows\SysWOW64\uygthywy.exe

Filesize
255KB

MD5
c121e2118ca19429cdf0e20b5650ac72

SHA1
3d5ebe04ddecc8c57fa447def0a558bc7910bb7e

SHA256
190f75b7f1d6392a0b5b48cd597d32b26c52aa35d1d91ed22cbb9f08e65f30f8

SHA512
01a1bcb295ab597f578ccd2de556ec4774d9258da986477a80717b79266ff811529ec0fcbef564a33328f0769d30c80f2b6c88f42aa4299944e9ad0ea34b5c9b

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bnutuyqood.exe

Filesize
255KB

MD5
c9d3cbdaefda2ed38aec88d034f8b92f

SHA1
e52709140a880f528d07105f69de3282d30af792

SHA256
6c4399eb370d451dc1d3e3e348e3f248be0d0c078e970f8bb2f5547afd074c19

SHA512
f8db752fd63f6bfc015dd69342c046c27e4e4d6da6e34473c8f092579a3910aae8742a7cd9f82f3d7cc7f93a0470b5adfd90d787489611505a9c1b20fb12b370

Download Submit
\Windows\SysWOW64\gmpgzbtuvniyd.exe

Filesize
255KB

MD5
f6fa5b865b7a2398aefb1b84da15d507

SHA1
f6246ed6d18716210aaac3d95f9a77478ab2892b

SHA256
f65b2581752ae0f711c91bb05e348a93416bb351a1691c19ba97b4ea3793d349

SHA512
3e54df6315343787004f9428ee10d6c081625e47f2342be57a0c68f35a7db2af0ed0563a0c32888409901b3c68fec6be7dc11a244f77bde210048c45829a0417

Download Submit
\Windows\SysWOW64\ljuvhkqkbogwrom.exe

Filesize
255KB

MD5
5db9175409663bca6aa076cc86ad79d4

SHA1
f158fe3260b71789e3bc877d7c7799c58a7a49cb

SHA256
c59513cb7249baf047107c89d34bf180383a22447d1b6648195a2d80da3fd03d

SHA512
235d35356886ac3ff1de0a09e05e793daa9a7d998c48936080b9b164330c3c53cc1769de4bd9a5c95ac0240df5731c469909ed734f5e048c8bc82c3499f69d70

Download Submit
\Windows\SysWOW64\uygthywy.exe

Filesize
255KB

MD5
c121e2118ca19429cdf0e20b5650ac72

SHA1
3d5ebe04ddecc8c57fa447def0a558bc7910bb7e

SHA256
190f75b7f1d6392a0b5b48cd597d32b26c52aa35d1d91ed22cbb9f08e65f30f8

SHA512
01a1bcb295ab597f578ccd2de556ec4774d9258da986477a80717b79266ff811529ec0fcbef564a33328f0769d30c80f2b6c88f42aa4299944e9ad0ea34b5c9b

Download Submit
\Windows\SysWOW64\uygthywy.exe

Filesize
255KB

MD5
c121e2118ca19429cdf0e20b5650ac72

SHA1
3d5ebe04ddecc8c57fa447def0a558bc7910bb7e

SHA256
190f75b7f1d6392a0b5b48cd597d32b26c52aa35d1d91ed22cbb9f08e65f30f8

SHA512
01a1bcb295ab597f578ccd2de556ec4774d9258da986477a80717b79266ff811529ec0fcbef564a33328f0769d30c80f2b6c88f42aa4299944e9ad0ea34b5c9b

Download Submit
memory/320-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/320-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/320-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/972-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/972-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1472-89-0x0000000070861000-0x0000000070863000-memory.dmp

Filesize
8KB

Download
memory/1472-103-0x000000007184D000-0x0000000071858000-memory.dmp

Filesize
44KB

Download
memory/1472-92-0x000000007184D000-0x0000000071858000-memory.dmp

Filesize
44KB

Download
memory/1472-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1472-88-0x0000000072DE1000-0x0000000072DE4000-memory.dmp

Filesize
12KB

Download
memory/1732-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1732-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1892-86-0x00000000038B0000-0x0000000003950000-memory.dmp

Filesize
640KB

Download
memory/1892-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1892-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1904-94-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/2008-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2008-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2008-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2032-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download