Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07/11/2022, 21:35
Behavioral task
behavioral1
Sample
9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
Resource
win7-20220812-en
General
-
Target
9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe
-
Size
255KB
-
MD5
02ae9753ce806ffeb5ce51acafbecba1
-
SHA1
9348aeb1b26556db5de9f94fd2931615c8cef86b
-
SHA256
9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6
-
SHA512
0cbed35394f4b81bb56dbda507ad548cba5097665df4acb7440f4332d5d2faf619b9ea4d415b5fdf3dc1449045f064e69b67462ff5208ca8dd153a700ae25e97
-
SSDEEP
6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI6l:Plf5j6zCNa0xeE3my
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" jpvoqisbdh.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" jpvoqisbdh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jpvoqisbdh.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jpvoqisbdh.exe -
Executes dropped EXE 5 IoCs
pid Process 1480 jpvoqisbdh.exe 1196 fabbtwkqbrluhyp.exe 2024 durzvgff.exe 1516 wsydqptkwymkc.exe 528 durzvgff.exe -
resource yara_rule behavioral1/memory/1476-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000005c50-56.dat upx behavioral1/memory/1476-57-0x00000000023A0000-0x0000000002440000-memory.dmp upx behavioral1/files/0x0007000000005c50-60.dat upx behavioral1/files/0x000a0000000122b9-59.dat upx behavioral1/files/0x00090000000122bd-63.dat upx behavioral1/files/0x000a0000000122b9-65.dat upx behavioral1/files/0x0007000000005c50-67.dat upx behavioral1/files/0x00090000000122bd-69.dat upx behavioral1/files/0x00090000000122c0-68.dat upx behavioral1/files/0x00090000000122c0-72.dat upx behavioral1/memory/1480-73-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1196-75-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1516-77-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2024-76-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000a0000000122b9-80.dat upx behavioral1/files/0x00090000000122bd-79.dat upx behavioral1/files/0x00090000000122c0-81.dat upx behavioral1/files/0x00090000000122bd-82.dat upx behavioral1/files/0x00090000000122bd-84.dat upx behavioral1/memory/528-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1476-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00020000000001bf-89.dat upx behavioral1/memory/1480-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1196-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1516-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2024-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/528-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0008000000012301-105.dat upx behavioral1/files/0x0008000000012301-106.dat upx behavioral1/files/0x0008000000012301-104.dat upx behavioral1/files/0x000800000001230f-107.dat upx -
Loads dropped DLL 5 IoCs
pid Process 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1480 jpvoqisbdh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" jpvoqisbdh.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run fabbtwkqbrluhyp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\laitknvl = "jpvoqisbdh.exe" fabbtwkqbrluhyp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdrhgrjf = "fabbtwkqbrluhyp.exe" fabbtwkqbrluhyp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wsydqptkwymkc.exe" fabbtwkqbrluhyp.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\l: jpvoqisbdh.exe File opened (read-only) \??\n: jpvoqisbdh.exe File opened (read-only) \??\k: durzvgff.exe File opened (read-only) \??\n: durzvgff.exe File opened (read-only) \??\f: jpvoqisbdh.exe File opened (read-only) \??\s: jpvoqisbdh.exe File opened (read-only) \??\w: jpvoqisbdh.exe File opened (read-only) \??\g: durzvgff.exe File opened (read-only) \??\i: jpvoqisbdh.exe File opened (read-only) \??\a: durzvgff.exe File opened (read-only) \??\m: durzvgff.exe File opened (read-only) \??\z: durzvgff.exe File opened (read-only) \??\s: durzvgff.exe File opened (read-only) \??\j: jpvoqisbdh.exe File opened (read-only) \??\k: jpvoqisbdh.exe File opened (read-only) \??\x: jpvoqisbdh.exe File opened (read-only) \??\u: durzvgff.exe File opened (read-only) \??\y: durzvgff.exe File opened (read-only) \??\e: jpvoqisbdh.exe File opened (read-only) \??\m: jpvoqisbdh.exe File opened (read-only) \??\o: jpvoqisbdh.exe File opened (read-only) \??\y: jpvoqisbdh.exe File opened (read-only) \??\z: jpvoqisbdh.exe File opened (read-only) \??\r: durzvgff.exe File opened (read-only) \??\u: jpvoqisbdh.exe File opened (read-only) \??\i: durzvgff.exe File opened (read-only) \??\q: durzvgff.exe File opened (read-only) \??\t: durzvgff.exe File opened (read-only) \??\g: durzvgff.exe File opened (read-only) \??\h: jpvoqisbdh.exe File opened (read-only) \??\j: durzvgff.exe File opened (read-only) \??\r: durzvgff.exe File opened (read-only) \??\t: durzvgff.exe File opened (read-only) \??\p: jpvoqisbdh.exe File opened (read-only) \??\x: durzvgff.exe File opened (read-only) \??\y: durzvgff.exe File opened (read-only) \??\k: durzvgff.exe File opened (read-only) \??\m: durzvgff.exe File opened (read-only) \??\q: jpvoqisbdh.exe File opened (read-only) \??\v: durzvgff.exe File opened (read-only) \??\b: durzvgff.exe File opened (read-only) \??\x: durzvgff.exe File opened (read-only) \??\e: durzvgff.exe File opened (read-only) \??\w: durzvgff.exe File opened (read-only) \??\a: durzvgff.exe File opened (read-only) \??\u: durzvgff.exe File opened (read-only) \??\z: durzvgff.exe File opened (read-only) \??\l: durzvgff.exe File opened (read-only) \??\a: jpvoqisbdh.exe File opened (read-only) \??\b: jpvoqisbdh.exe File opened (read-only) \??\p: durzvgff.exe File opened (read-only) \??\w: durzvgff.exe File opened (read-only) \??\n: durzvgff.exe File opened (read-only) \??\q: durzvgff.exe File opened (read-only) \??\g: jpvoqisbdh.exe File opened (read-only) \??\l: durzvgff.exe File opened (read-only) \??\f: durzvgff.exe File opened (read-only) \??\o: durzvgff.exe File opened (read-only) \??\v: durzvgff.exe File opened (read-only) \??\t: jpvoqisbdh.exe File opened (read-only) \??\b: durzvgff.exe File opened (read-only) \??\h: durzvgff.exe File opened (read-only) \??\o: durzvgff.exe File opened (read-only) \??\i: durzvgff.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" jpvoqisbdh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" jpvoqisbdh.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1476-55-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1480-73-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1196-75-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2024-76-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/528-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1476-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1480-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1196-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1516-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2024-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/528-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\jpvoqisbdh.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File created C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\durzvgff.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\wsydqptkwymkc.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll jpvoqisbdh.exe File opened for modification C:\Windows\SysWOW64\jpvoqisbdh.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\SysWOW64\fabbtwkqbrluhyp.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File created C:\Windows\SysWOW64\durzvgff.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File created C:\Windows\SysWOW64\wsydqptkwymkc.exe 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal durzvgff.exe File created \??\c:\Program Files\DenyExport.doc.exe durzvgff.exe File opened for modification C:\Program Files\DenyExport.doc.exe durzvgff.exe File opened for modification C:\Program Files\DenyExport.nal durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe durzvgff.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe durzvgff.exe File opened for modification C:\Program Files\DenyExport.doc.exe durzvgff.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe durzvgff.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe durzvgff.exe File opened for modification \??\c:\Program Files\DenyExport.doc.exe durzvgff.exe File opened for modification C:\Program Files\DenyExport.nal durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal durzvgff.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe durzvgff.exe File opened for modification \??\c:\Program Files\DenyExport.doc.exe durzvgff.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe durzvgff.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe durzvgff.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe durzvgff.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe durzvgff.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B02F449738E852C8BAD53293D7B9" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh jpvoqisbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs jpvoqisbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D789D5683506D4676A077252CDC7DF364A8" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC67514E0DAB3B8BA7FE6ED9434CF" 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" jpvoqisbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 288 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 2024 durzvgff.exe 2024 durzvgff.exe 2024 durzvgff.exe 2024 durzvgff.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 528 durzvgff.exe 528 durzvgff.exe 528 durzvgff.exe 528 durzvgff.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1196 fabbtwkqbrluhyp.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 2024 durzvgff.exe 2024 durzvgff.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 2024 durzvgff.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 528 durzvgff.exe 528 durzvgff.exe 528 durzvgff.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 1480 jpvoqisbdh.exe 2024 durzvgff.exe 2024 durzvgff.exe 1196 fabbtwkqbrluhyp.exe 1196 fabbtwkqbrluhyp.exe 2024 durzvgff.exe 1196 fabbtwkqbrluhyp.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 1516 wsydqptkwymkc.exe 528 durzvgff.exe 528 durzvgff.exe 528 durzvgff.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 288 WINWORD.EXE 288 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1480 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 27 PID 1476 wrote to memory of 1480 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 27 PID 1476 wrote to memory of 1480 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 27 PID 1476 wrote to memory of 1480 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 27 PID 1476 wrote to memory of 1196 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 28 PID 1476 wrote to memory of 1196 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 28 PID 1476 wrote to memory of 1196 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 28 PID 1476 wrote to memory of 1196 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 28 PID 1476 wrote to memory of 2024 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 29 PID 1476 wrote to memory of 2024 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 29 PID 1476 wrote to memory of 2024 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 29 PID 1476 wrote to memory of 2024 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 29 PID 1476 wrote to memory of 1516 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 30 PID 1476 wrote to memory of 1516 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 30 PID 1476 wrote to memory of 1516 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 30 PID 1476 wrote to memory of 1516 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 30 PID 1480 wrote to memory of 528 1480 jpvoqisbdh.exe 31 PID 1480 wrote to memory of 528 1480 jpvoqisbdh.exe 31 PID 1480 wrote to memory of 528 1480 jpvoqisbdh.exe 31 PID 1480 wrote to memory of 528 1480 jpvoqisbdh.exe 31 PID 1476 wrote to memory of 288 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 32 PID 1476 wrote to memory of 288 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 32 PID 1476 wrote to memory of 288 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 32 PID 1476 wrote to memory of 288 1476 9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe 32 PID 288 wrote to memory of 976 288 WINWORD.EXE 36 PID 288 wrote to memory of 976 288 WINWORD.EXE 36 PID 288 wrote to memory of 976 288 WINWORD.EXE 36 PID 288 wrote to memory of 976 288 WINWORD.EXE 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe"C:\Users\Admin\AppData\Local\Temp\9e0564beb8057e1f666c2cb5918e8961875f9a2fe13c945c19cca6d30c8761b6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\jpvoqisbdh.exejpvoqisbdh.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\durzvgff.exeC:\Windows\system32\durzvgff.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:528
-
-
-
C:\Windows\SysWOW64\fabbtwkqbrluhyp.exefabbtwkqbrluhyp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196
-
-
C:\Windows\SysWOW64\durzvgff.exedurzvgff.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
-
C:\Windows\SysWOW64\wsydqptkwymkc.exewsydqptkwymkc.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:976
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5e357c393c85d5013a1da5ced0d79f7fa
SHA1b3ec2c8f21f38ecaae699fb087fb36e098611aa8
SHA256b2a61a579d2811881d75cb41833d03b9bd42ce44f1b84a62c950e7ecea93fbde
SHA51285cba0f67ddae1020374a6143b1a7858b4535047b5d09ac0ffb3ab5a2d3bc89c3bf9c2b55dcdda5539e425c0d017bebcec143a91ea04cf224209524359ba4a35
-
Filesize
255KB
MD5e357c393c85d5013a1da5ced0d79f7fa
SHA1b3ec2c8f21f38ecaae699fb087fb36e098611aa8
SHA256b2a61a579d2811881d75cb41833d03b9bd42ce44f1b84a62c950e7ecea93fbde
SHA51285cba0f67ddae1020374a6143b1a7858b4535047b5d09ac0ffb3ab5a2d3bc89c3bf9c2b55dcdda5539e425c0d017bebcec143a91ea04cf224209524359ba4a35
-
Filesize
255KB
MD56e5daef8bd107fcd1b66e8c71dc73b0f
SHA14905343b2178a0c7ddffafab54d87e5c168531f3
SHA256e8f504e362c44c47cbf5643757cbab0a360af0dbaa304e49f86be343e7514470
SHA512eee810857af4665457b35aa5debaf9b5acfdbbd86ab7ef1784e44c4baeaff5c49251bbe94a2a1dd6960516f6357d710eb06260602196d8be41655fb982821554
-
Filesize
255KB
MD5fb8608024cd284405798e3c9f99d50e4
SHA11665b248103ebadbe5ab0bbb809f633d060afe4a
SHA256f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62
SHA512e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b
-
Filesize
255KB
MD5fb8608024cd284405798e3c9f99d50e4
SHA11665b248103ebadbe5ab0bbb809f633d060afe4a
SHA256f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62
SHA512e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b
-
Filesize
255KB
MD5fb8608024cd284405798e3c9f99d50e4
SHA11665b248103ebadbe5ab0bbb809f633d060afe4a
SHA256f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62
SHA512e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b
-
Filesize
255KB
MD5bd5301844b09c2e89399e48680417f6c
SHA1d30eaa8b60579e9ee663441675774f77e4677948
SHA256ded9342d8249110b5c1401a50620f4e7dd43f5a64ea8ffc11cb873ee9950a62a
SHA5124b0ac071f8d667ff11f9a501cc4d026e44531f3a98c55fea9cc42644f30059af6ec28c7f140e57d74319d99a6b875644ff5c5aa142fce6ea596494200d8b39f6
-
Filesize
255KB
MD5bd5301844b09c2e89399e48680417f6c
SHA1d30eaa8b60579e9ee663441675774f77e4677948
SHA256ded9342d8249110b5c1401a50620f4e7dd43f5a64ea8ffc11cb873ee9950a62a
SHA5124b0ac071f8d667ff11f9a501cc4d026e44531f3a98c55fea9cc42644f30059af6ec28c7f140e57d74319d99a6b875644ff5c5aa142fce6ea596494200d8b39f6
-
Filesize
255KB
MD5d302e43f107fc9ba49ab79d116ef8258
SHA1805ffb7b7e29aa89678d9693f2fb0fbbfd762499
SHA256544af90bf0024fa1542590e0620b1d2af7c2dd6378ed2085408a204299c08b2b
SHA51268f82f9cdc389886397a6fd685cea68158c846566b3d5b830efb06ae73b62110338f52a99089a6168f7499912b444d1b76e1f8bcec378b9312041d9d6520f43d
-
Filesize
255KB
MD5d302e43f107fc9ba49ab79d116ef8258
SHA1805ffb7b7e29aa89678d9693f2fb0fbbfd762499
SHA256544af90bf0024fa1542590e0620b1d2af7c2dd6378ed2085408a204299c08b2b
SHA51268f82f9cdc389886397a6fd685cea68158c846566b3d5b830efb06ae73b62110338f52a99089a6168f7499912b444d1b76e1f8bcec378b9312041d9d6520f43d
-
Filesize
255KB
MD50dcc760fe874df40fa4b73513046719c
SHA19eb094534baf64ee04f4a786a7f01e6db486690b
SHA256252f6bd281500785215255bc94ae7e5773533402def3ff6535cfd50cccbdca9e
SHA512e4db156624c326630a84e5372be0bd9ccebeec01e6e0e298b8fcb6bddd2a6d7f13b41509adf9881dd8ad15c3a855738a4b887613d3869419520fab0a736ddcb8
-
Filesize
255KB
MD50dcc760fe874df40fa4b73513046719c
SHA19eb094534baf64ee04f4a786a7f01e6db486690b
SHA256252f6bd281500785215255bc94ae7e5773533402def3ff6535cfd50cccbdca9e
SHA512e4db156624c326630a84e5372be0bd9ccebeec01e6e0e298b8fcb6bddd2a6d7f13b41509adf9881dd8ad15c3a855738a4b887613d3869419520fab0a736ddcb8
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5e357c393c85d5013a1da5ced0d79f7fa
SHA1b3ec2c8f21f38ecaae699fb087fb36e098611aa8
SHA256b2a61a579d2811881d75cb41833d03b9bd42ce44f1b84a62c950e7ecea93fbde
SHA51285cba0f67ddae1020374a6143b1a7858b4535047b5d09ac0ffb3ab5a2d3bc89c3bf9c2b55dcdda5539e425c0d017bebcec143a91ea04cf224209524359ba4a35
-
Filesize
255KB
MD537c001940e6eeb1e0b9b0fb6daa0b817
SHA1c12e06fba131c39b74869106e2ddda58ad49c3bf
SHA2564544d91c55f46649b78905bac206ccbbb024b12c4c9ed1639e6685451bbff9d9
SHA512695f71da62299712fe21932c14e64eef35f02746ff27afeb1ad05f23c52fdac9393607ca7f317b2768d1f5e85358af2ff7989a47c9c509d9bbe8df3c76ce81d6
-
Filesize
255KB
MD5fb8608024cd284405798e3c9f99d50e4
SHA11665b248103ebadbe5ab0bbb809f633d060afe4a
SHA256f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62
SHA512e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b
-
Filesize
255KB
MD5fb8608024cd284405798e3c9f99d50e4
SHA11665b248103ebadbe5ab0bbb809f633d060afe4a
SHA256f1813198435334b79f452bdd0a7c94b1a9c7df67087100bec2191891ef07fb62
SHA512e6718eb0bfc9004824e36f0489d9c9f4ce196bc560aba3ad2aa31f4c33466454bd67ccbd482aba561e2d884e81b304b13e45c38b0243aa4764cf32b865468e5b
-
Filesize
255KB
MD5bd5301844b09c2e89399e48680417f6c
SHA1d30eaa8b60579e9ee663441675774f77e4677948
SHA256ded9342d8249110b5c1401a50620f4e7dd43f5a64ea8ffc11cb873ee9950a62a
SHA5124b0ac071f8d667ff11f9a501cc4d026e44531f3a98c55fea9cc42644f30059af6ec28c7f140e57d74319d99a6b875644ff5c5aa142fce6ea596494200d8b39f6
-
Filesize
255KB
MD5d302e43f107fc9ba49ab79d116ef8258
SHA1805ffb7b7e29aa89678d9693f2fb0fbbfd762499
SHA256544af90bf0024fa1542590e0620b1d2af7c2dd6378ed2085408a204299c08b2b
SHA51268f82f9cdc389886397a6fd685cea68158c846566b3d5b830efb06ae73b62110338f52a99089a6168f7499912b444d1b76e1f8bcec378b9312041d9d6520f43d
-
Filesize
255KB
MD50dcc760fe874df40fa4b73513046719c
SHA19eb094534baf64ee04f4a786a7f01e6db486690b
SHA256252f6bd281500785215255bc94ae7e5773533402def3ff6535cfd50cccbdca9e
SHA512e4db156624c326630a84e5372be0bd9ccebeec01e6e0e298b8fcb6bddd2a6d7f13b41509adf9881dd8ad15c3a855738a4b887613d3869419520fab0a736ddcb8