82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1

Analysis

max time kernel
175s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
Size

255KB
MD5

a4091b61aa64eb56890e71daf501a989
SHA1

91089db448c09c4b8c0b9f00e9ad2058144535fe
SHA256

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1
SHA512

e42de641da7fdf6a5c928132fa939e59974f37603d134565aefdee5518850a1e4ed26c755fe1b16a98808bf5da91e26029cf0eb41acbf1b89dba167e8204b6c4
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJv:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIM

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

bxyqnekxmw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bxyqnekxmw.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

bxyqnekxmw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bxyqnekxmw.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bxyqnekxmw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bxyqnekxmw.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

bxyqnekxmw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bxyqnekxmw.exe

Executes dropped EXE 5 IoCs

Processes:

bxyqnekxmw.exelbxetpalpqmzzmg.exeyjqawboi.exehamsjbtxjlkki.exeyjqawboi.exe

pid process

320 bxyqnekxmw.exe
560 lbxetpalpqmzzmg.exe
588 yjqawboi.exe
536 hamsjbtxjlkki.exe
1960 yjqawboi.exe

pid	process
320	bxyqnekxmw.exe
560	lbxetpalpqmzzmg.exe
588	yjqawboi.exe
536	hamsjbtxjlkki.exe
1960	yjqawboi.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/952-54-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\bxyqnekxmw.exe	upx
behavioral1/memory/952-57-0x0000000003310000-0x00000000033B0000-memory.dmp	upx
\Windows\SysWOW64\lbxetpalpqmzzmg.exe	upx
C:\Windows\SysWOW64\bxyqnekxmw.exe	upx
C:\Windows\SysWOW64\lbxetpalpqmzzmg.exe	upx
\Windows\SysWOW64\yjqawboi.exe	upx
\Windows\SysWOW64\hamsjbtxjlkki.exe	upx
C:\Windows\SysWOW64\yjqawboi.exe	upx
behavioral1/memory/320-71-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/588-75-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\hamsjbtxjlkki.exe	upx
C:\Windows\SysWOW64\bxyqnekxmw.exe	upx
C:\Windows\SysWOW64\yjqawboi.exe	upx
C:\Windows\SysWOW64\hamsjbtxjlkki.exe	upx
\Windows\SysWOW64\yjqawboi.exe	upx
C:\Windows\SysWOW64\yjqawboi.exe	upx
behavioral1/memory/952-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/536-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1960-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/952-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/320-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/588-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1960-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/536-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx
C:\Users\Admin\Music\RepairSuspend.doc.exe	upx

Loads dropped DLL 5 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exe

pid	process
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
320	bxyqnekxmw.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

bxyqnekxmw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bxyqnekxmw.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

yjqawboi.exebxyqnekxmw.exeyjqawboi.exe

description	ioc	process
File opened (read-only)	\??\l:	yjqawboi.exe
File opened (read-only)	\??\n:	yjqawboi.exe
File opened (read-only)	\??\i:	bxyqnekxmw.exe
File opened (read-only)	\??\t:	bxyqnekxmw.exe
File opened (read-only)	\??\n:	yjqawboi.exe
File opened (read-only)	\??\e:	yjqawboi.exe
File opened (read-only)	\??\p:	yjqawboi.exe
File opened (read-only)	\??\u:	yjqawboi.exe
File opened (read-only)	\??\f:	bxyqnekxmw.exe
File opened (read-only)	\??\a:	yjqawboi.exe
File opened (read-only)	\??\l:	yjqawboi.exe
File opened (read-only)	\??\z:	yjqawboi.exe
File opened (read-only)	\??\h:	yjqawboi.exe
File opened (read-only)	\??\r:	yjqawboi.exe
File opened (read-only)	\??\t:	yjqawboi.exe
File opened (read-only)	\??\x:	bxyqnekxmw.exe
File opened (read-only)	\??\i:	yjqawboi.exe
File opened (read-only)	\??\w:	yjqawboi.exe
File opened (read-only)	\??\t:	yjqawboi.exe
File opened (read-only)	\??\k:	yjqawboi.exe
File opened (read-only)	\??\y:	yjqawboi.exe
File opened (read-only)	\??\h:	bxyqnekxmw.exe
File opened (read-only)	\??\m:	bxyqnekxmw.exe
File opened (read-only)	\??\j:	yjqawboi.exe
File opened (read-only)	\??\m:	yjqawboi.exe
File opened (read-only)	\??\q:	yjqawboi.exe
File opened (read-only)	\??\v:	yjqawboi.exe
File opened (read-only)	\??\w:	bxyqnekxmw.exe
File opened (read-only)	\??\y:	yjqawboi.exe
File opened (read-only)	\??\x:	yjqawboi.exe
File opened (read-only)	\??\z:	bxyqnekxmw.exe
File opened (read-only)	\??\x:	yjqawboi.exe
File opened (read-only)	\??\y:	bxyqnekxmw.exe
File opened (read-only)	\??\p:	yjqawboi.exe
File opened (read-only)	\??\b:	yjqawboi.exe
File opened (read-only)	\??\o:	yjqawboi.exe
File opened (read-only)	\??\w:	yjqawboi.exe
File opened (read-only)	\??\g:	bxyqnekxmw.exe
File opened (read-only)	\??\n:	bxyqnekxmw.exe
File opened (read-only)	\??\q:	bxyqnekxmw.exe
File opened (read-only)	\??\r:	yjqawboi.exe
File opened (read-only)	\??\g:	yjqawboi.exe
File opened (read-only)	\??\m:	yjqawboi.exe
File opened (read-only)	\??\v:	bxyqnekxmw.exe
File opened (read-only)	\??\b:	yjqawboi.exe
File opened (read-only)	\??\f:	yjqawboi.exe
File opened (read-only)	\??\q:	yjqawboi.exe
File opened (read-only)	\??\f:	yjqawboi.exe
File opened (read-only)	\??\j:	yjqawboi.exe
File opened (read-only)	\??\b:	bxyqnekxmw.exe
File opened (read-only)	\??\k:	bxyqnekxmw.exe
File opened (read-only)	\??\r:	bxyqnekxmw.exe
File opened (read-only)	\??\k:	yjqawboi.exe
File opened (read-only)	\??\i:	yjqawboi.exe
File opened (read-only)	\??\e:	bxyqnekxmw.exe
File opened (read-only)	\??\j:	bxyqnekxmw.exe
File opened (read-only)	\??\u:	bxyqnekxmw.exe
File opened (read-only)	\??\e:	yjqawboi.exe
File opened (read-only)	\??\g:	yjqawboi.exe
File opened (read-only)	\??\a:	yjqawboi.exe
File opened (read-only)	\??\z:	yjqawboi.exe
File opened (read-only)	\??\a:	bxyqnekxmw.exe
File opened (read-only)	\??\o:	bxyqnekxmw.exe
File opened (read-only)	\??\p:	bxyqnekxmw.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bxyqnekxmw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	bxyqnekxmw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	bxyqnekxmw.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/320-71-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/588-75-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/952-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/536-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1960-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/952-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/320-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/588-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1960-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/536-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\yjqawboi.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bxyqnekxmw.exe
File created	C:\Windows\SysWOW64\bxyqnekxmw.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File created	C:\Windows\SysWOW64\lbxetpalpqmzzmg.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File opened for modification	C:\Windows\SysWOW64\lbxetpalpqmzzmg.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File created	C:\Windows\SysWOW64\yjqawboi.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File opened for modification	C:\Windows\SysWOW64\bxyqnekxmw.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File created	C:\Windows\SysWOW64\hamsjbtxjlkki.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File opened for modification	C:\Windows\SysWOW64\hamsjbtxjlkki.exe	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe

Drops file in Program Files directory 14 IoCs

Processes:

yjqawboi.exeyjqawboi.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yjqawboi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	yjqawboi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yjqawboi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yjqawboi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yjqawboi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	yjqawboi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yjqawboi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	yjqawboi.exe

Drops file in Windows directory 5 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D0B9D2082276A3276D570562DD67D8365DE"	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	bxyqnekxmw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FFF9482D82129132D75A7E91BCE5E141594B67356335D79D"	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	bxyqnekxmw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	bxyqnekxmw.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1680 WINWORD.EXE

pid	process
1680	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exeyjqawboi.exehamsjbtxjlkki.exeyjqawboi.exe

pid	process
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
588	yjqawboi.exe
588	yjqawboi.exe
588	yjqawboi.exe
588	yjqawboi.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
1960	yjqawboi.exe
1960	yjqawboi.exe
1960	yjqawboi.exe
1960	yjqawboi.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exeyjqawboi.exehamsjbtxjlkki.exeyjqawboi.exe

pid	process
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
588	yjqawboi.exe
536	hamsjbtxjlkki.exe
588	yjqawboi.exe
588	yjqawboi.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
1960	yjqawboi.exe
1960	yjqawboi.exe
1960	yjqawboi.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exeyjqawboi.exehamsjbtxjlkki.exeyjqawboi.exe

pid	process
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
320	bxyqnekxmw.exe
588	yjqawboi.exe
588	yjqawboi.exe
588	yjqawboi.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
536	hamsjbtxjlkki.exe
1960	yjqawboi.exe
1960	yjqawboi.exe
1960	yjqawboi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1680 WINWORD.EXE
1680 WINWORD.EXE

pid	process
1680	WINWORD.EXE
1680	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exebxyqnekxmw.exeWINWORD.EXE

description	pid	process	target process
PID 952 wrote to memory of 320	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	bxyqnekxmw.exe
PID 952 wrote to memory of 320	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	bxyqnekxmw.exe
PID 952 wrote to memory of 320	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	bxyqnekxmw.exe
PID 952 wrote to memory of 320	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	bxyqnekxmw.exe
PID 952 wrote to memory of 560	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	lbxetpalpqmzzmg.exe
PID 952 wrote to memory of 560	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	lbxetpalpqmzzmg.exe
PID 952 wrote to memory of 560	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	lbxetpalpqmzzmg.exe
PID 952 wrote to memory of 560	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	lbxetpalpqmzzmg.exe
PID 952 wrote to memory of 588	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	yjqawboi.exe
PID 952 wrote to memory of 588	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	yjqawboi.exe
PID 952 wrote to memory of 588	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	yjqawboi.exe
PID 952 wrote to memory of 588	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	yjqawboi.exe
PID 952 wrote to memory of 536	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	hamsjbtxjlkki.exe
PID 952 wrote to memory of 536	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	hamsjbtxjlkki.exe
PID 952 wrote to memory of 536	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	hamsjbtxjlkki.exe
PID 952 wrote to memory of 536	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	hamsjbtxjlkki.exe
PID 320 wrote to memory of 1960	320	bxyqnekxmw.exe	yjqawboi.exe
PID 320 wrote to memory of 1960	320	bxyqnekxmw.exe	yjqawboi.exe
PID 320 wrote to memory of 1960	320	bxyqnekxmw.exe	yjqawboi.exe
PID 320 wrote to memory of 1960	320	bxyqnekxmw.exe	yjqawboi.exe
PID 952 wrote to memory of 1680	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	WINWORD.EXE
PID 952 wrote to memory of 1680	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	WINWORD.EXE
PID 952 wrote to memory of 1680	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	WINWORD.EXE
PID 952 wrote to memory of 1680	952	82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe	WINWORD.EXE
PID 1680 wrote to memory of 1388	1680	WINWORD.EXE	splwow64.exe
PID 1680 wrote to memory of 1388	1680	WINWORD.EXE	splwow64.exe
PID 1680 wrote to memory of 1388	1680	WINWORD.EXE	splwow64.exe
PID 1680 wrote to memory of 1388	1680	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe
"C:\Users\Admin\AppData\Local\Temp\82e50a8f03b010a3a1e65111d9150eeb72ff9147a05170c01c1bdccf98b1c8c1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\bxyqnekxmw.exe
bxyqnekxmw.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\yjqawboi.exe
C:\Windows\system32\yjqawboi.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1960

C:\Windows\SysWOW64\lbxetpalpqmzzmg.exe
lbxetpalpqmzzmg.exe
2⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWOW64\yjqawboi.exe
yjqawboi.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:588

C:\Windows\SysWOW64\hamsjbtxjlkki.exe
hamsjbtxjlkki.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:536

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1388

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
255KB

MD5
7ef2e78e0f23760d59504c628b977158

SHA1
0354e25ce49708b0db6392e4a167c515e9e59902

SHA256
748393532b9bd4176f20edec90954c3cef19ed2481630dc5082be9254968e09e

SHA512
0722708529c0afd449262c8d3a8f9b0cbefd075ba1368bcb0eb5c1d759d3694f54c1aeeaa45f0c33f0554fb8896fbc6479f49561a0291a3e34737c38e75faa6d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
255KB

MD5
a99b4f5aa400c198b4b34a3b0d2badb1

SHA1
b49c01088cdb638db11ca714054b8ec19a73aa4f

SHA256
7132b19b74175692b16f7505ba237aebe0a3a75e3dba0db4b7a113a92ff057b5

SHA512
9376062d7d9307e8505930c7e3a18020fad5c48b60e57fc6f50b5bd9d53e47fd1880b779930cde447586184d74b0bbafde41eb3001e41f003f7f09bf24abf20a

Download Submit
C:\Users\Admin\Music\RepairSuspend.doc.exe
Filesize
255KB

MD5
5822da7d5c75700087a433e1685c0b2c

SHA1
dd8a947a829962f49d9d5b1e946b816f665366b2

SHA256
cf2b81feca84fd8923878ece06825637b2adbe7dac9525cb797b7eae29d7ae07

SHA512
8db5244df95e175ec0c00749ad71c6446222c5388633e23bd247dbd6a77d4ed088610f7916500f47b3f0b43b6b99874c2f85d2a60302f0fd0a26a8cf59909078

Download Submit
C:\Windows\SysWOW64\bxyqnekxmw.exe
Filesize
255KB

MD5
564b26a533adcbcf34f3673aae176842

SHA1
17c1d0e2fc2a280e1f8c724aa1d2b7f9df7879e5

SHA256
d77c5bb0f61a10035061e9b5555ad704e268d6a05fd4f8ed3717e044e5939092

SHA512
d955c5d6d9b3445b3de78b58ca2ff75129ee63f9e3f24937867114bf07e6dfe2878c43cddb607576ece3b3cde6e93388189b8369a87666b56793da13bf8debe5

Download Submit
C:\Windows\SysWOW64\bxyqnekxmw.exe
Filesize
255KB

MD5
564b26a533adcbcf34f3673aae176842

SHA1
17c1d0e2fc2a280e1f8c724aa1d2b7f9df7879e5

SHA256
d77c5bb0f61a10035061e9b5555ad704e268d6a05fd4f8ed3717e044e5939092

SHA512
d955c5d6d9b3445b3de78b58ca2ff75129ee63f9e3f24937867114bf07e6dfe2878c43cddb607576ece3b3cde6e93388189b8369a87666b56793da13bf8debe5

Download Submit
C:\Windows\SysWOW64\hamsjbtxjlkki.exe
Filesize
255KB

MD5
c1c33ec968ab5b44c0f6510117ddc1f3

SHA1
25a55d1b9b6f8bde1f9d41384d4cc9a36d942736

SHA256
5114bbc7c15187a91988d86d7d45e773a07f58fb8434b0014d4790b0019e3c23

SHA512
8a8ae37fab505d4d88175f4582f79ae3a0018b47c27fede040fab41cc17ee101d8c550b23b393ca986af544c04a748797f793d4a363c18f50eecce4fc92d0a84

Download Submit
C:\Windows\SysWOW64\hamsjbtxjlkki.exe
Filesize
255KB

MD5
c1c33ec968ab5b44c0f6510117ddc1f3

SHA1
25a55d1b9b6f8bde1f9d41384d4cc9a36d942736

SHA256
5114bbc7c15187a91988d86d7d45e773a07f58fb8434b0014d4790b0019e3c23

SHA512
8a8ae37fab505d4d88175f4582f79ae3a0018b47c27fede040fab41cc17ee101d8c550b23b393ca986af544c04a748797f793d4a363c18f50eecce4fc92d0a84

Download Submit
C:\Windows\SysWOW64\lbxetpalpqmzzmg.exe
Filesize
255KB

MD5
1717ff97cd0bfd21774b4c2cf69473c8

SHA1
15ef13e9ec0a171776b6c6abba6d02e740005fcf

SHA256
5b573baaba8f6ab78025590ea4e9d498af8e2e54289ac7e8d17c89b94ccad644

SHA512
62a40be1c44e3bf0508df7edb4d34c55e7b53845c322d2d089b6ca99d00c9e60c55a4c8457876a8e332a9ecbbc554e579b508a0cf69452373b9bd13795d52108

Download Submit
C:\Windows\SysWOW64\yjqawboi.exe
Filesize
255KB

MD5
6fb96ff9201574c544549d2b19418de8

SHA1
681c971f4f47aa976ce02c0c9f71e21c39c69bac

SHA256
15fe686d1797631d74f7963c70a9b34ad687307bfabb46ab31898733824ace09

SHA512
e65ba435c10d7b376b26600f2fa291559ccce684ce2538ba9fba7ed947de9d9b028be3e8b88bb2461bb7bb7750ec3877efdb90f9da2d6806b5e11ac41f80ebe9

Download Submit
C:\Windows\SysWOW64\yjqawboi.exe
Filesize
255KB

MD5
6fb96ff9201574c544549d2b19418de8

SHA1
681c971f4f47aa976ce02c0c9f71e21c39c69bac

SHA256
15fe686d1797631d74f7963c70a9b34ad687307bfabb46ab31898733824ace09

SHA512
e65ba435c10d7b376b26600f2fa291559ccce684ce2538ba9fba7ed947de9d9b028be3e8b88bb2461bb7bb7750ec3877efdb90f9da2d6806b5e11ac41f80ebe9

Download Submit
C:\Windows\SysWOW64\yjqawboi.exe
Filesize
255KB

MD5
6fb96ff9201574c544549d2b19418de8

SHA1
681c971f4f47aa976ce02c0c9f71e21c39c69bac

SHA256
15fe686d1797631d74f7963c70a9b34ad687307bfabb46ab31898733824ace09

SHA512
e65ba435c10d7b376b26600f2fa291559ccce684ce2538ba9fba7ed947de9d9b028be3e8b88bb2461bb7bb7750ec3877efdb90f9da2d6806b5e11ac41f80ebe9

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bxyqnekxmw.exe
Filesize
255KB

MD5
564b26a533adcbcf34f3673aae176842

SHA1
17c1d0e2fc2a280e1f8c724aa1d2b7f9df7879e5

SHA256
d77c5bb0f61a10035061e9b5555ad704e268d6a05fd4f8ed3717e044e5939092

SHA512
d955c5d6d9b3445b3de78b58ca2ff75129ee63f9e3f24937867114bf07e6dfe2878c43cddb607576ece3b3cde6e93388189b8369a87666b56793da13bf8debe5

Download Submit
\Windows\SysWOW64\hamsjbtxjlkki.exe
Filesize
255KB

MD5
c1c33ec968ab5b44c0f6510117ddc1f3

SHA1
25a55d1b9b6f8bde1f9d41384d4cc9a36d942736

SHA256
5114bbc7c15187a91988d86d7d45e773a07f58fb8434b0014d4790b0019e3c23

SHA512
8a8ae37fab505d4d88175f4582f79ae3a0018b47c27fede040fab41cc17ee101d8c550b23b393ca986af544c04a748797f793d4a363c18f50eecce4fc92d0a84

Download Submit
\Windows\SysWOW64\lbxetpalpqmzzmg.exe
Filesize
255KB

MD5
1717ff97cd0bfd21774b4c2cf69473c8

SHA1
15ef13e9ec0a171776b6c6abba6d02e740005fcf

SHA256
5b573baaba8f6ab78025590ea4e9d498af8e2e54289ac7e8d17c89b94ccad644

SHA512
62a40be1c44e3bf0508df7edb4d34c55e7b53845c322d2d089b6ca99d00c9e60c55a4c8457876a8e332a9ecbbc554e579b508a0cf69452373b9bd13795d52108

Download Submit
\Windows\SysWOW64\yjqawboi.exe
Filesize
255KB

MD5
6fb96ff9201574c544549d2b19418de8

SHA1
681c971f4f47aa976ce02c0c9f71e21c39c69bac

SHA256
15fe686d1797631d74f7963c70a9b34ad687307bfabb46ab31898733824ace09

SHA512
e65ba435c10d7b376b26600f2fa291559ccce684ce2538ba9fba7ed947de9d9b028be3e8b88bb2461bb7bb7750ec3877efdb90f9da2d6806b5e11ac41f80ebe9

Download Submit
\Windows\SysWOW64\yjqawboi.exe
Filesize
255KB

MD5
6fb96ff9201574c544549d2b19418de8

SHA1
681c971f4f47aa976ce02c0c9f71e21c39c69bac

SHA256
15fe686d1797631d74f7963c70a9b34ad687307bfabb46ab31898733824ace09

SHA512
e65ba435c10d7b376b26600f2fa291559ccce684ce2538ba9fba7ed947de9d9b028be3e8b88bb2461bb7bb7750ec3877efdb90f9da2d6806b5e11ac41f80ebe9

Download Submit
memory/320-71-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/320-58-0x0000000000000000-mapping.dmp

Download
memory/320-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/536-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/536-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/536-70-0x0000000000000000-mapping.dmp

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/588-66-0x0000000000000000-mapping.dmp

Download
memory/588-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/588-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/952-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/952-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/952-57-0x0000000003310000-0x00000000033B0000-memory.dmp

Filesize
640KB

Download
memory/952-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/952-54-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/952-72-0x0000000003310000-0x00000000033B0000-memory.dmp

Filesize
640KB

Download
memory/1388-100-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1388-99-0x0000000000000000-mapping.dmp

Download
memory/1680-89-0x000000006FE31000-0x000000006FE33000-memory.dmp

Filesize
8KB

Download
memory/1680-91-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/1680-98-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/1680-90-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1680-88-0x00000000723B1000-0x00000000723B4000-memory.dmp

Filesize
12KB

Download
memory/1680-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1680-102-0x0000000070E1D000-0x0000000070E28000-memory.dmp

Filesize
44KB

Download
memory/1680-86-0x0000000000000000-mapping.dmp

Download
memory/1960-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1960-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1960-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads