Analysis
-
max time kernel
151s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 21:07
Behavioral task
behavioral1
Sample
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
Resource
win10v2004-20221111-en
General
-
Target
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
-
Size
255KB
-
MD5
4ed00b378e088fe0b54b0e2096a6ba92
-
SHA1
eb908caa6b99f0e7f3bfd8dff93449f489c95a98
-
SHA256
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531
-
SHA512
45ec6f62d8b2e95696df53bf6edc86559b99672d13131064279db0def37c124062fad8bc192569165fe1d49c59df878e541b1918780223d3b8b33da3a002e6b8
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJp:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIo
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
upegczlerb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" upegczlerb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
upegczlerb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" upegczlerb.exe -
Processes:
upegczlerb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" upegczlerb.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
upegczlerb.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" upegczlerb.exe -
Executes dropped EXE 6 IoCs
Processes:
upegczlerb.exekrabzupepwodcor.exeqpvlivuz.exetzlibfssagimy.exetzlibfssagimy.exeqpvlivuz.exepid process 1728 upegczlerb.exe 872 krabzupepwodcor.exe 1640 qpvlivuz.exe 1588 tzlibfssagimy.exe 268 tzlibfssagimy.exe 636 qpvlivuz.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
resource yara_rule \Windows\SysWOW64\upegczlerb.exe upx C:\Windows\SysWOW64\upegczlerb.exe upx \Windows\SysWOW64\krabzupepwodcor.exe upx C:\Windows\SysWOW64\krabzupepwodcor.exe upx C:\Windows\SysWOW64\upegczlerb.exe upx C:\Windows\SysWOW64\krabzupepwodcor.exe upx \Windows\SysWOW64\qpvlivuz.exe upx C:\Windows\SysWOW64\qpvlivuz.exe upx \Windows\SysWOW64\tzlibfssagimy.exe upx C:\Windows\SysWOW64\tzlibfssagimy.exe upx C:\Windows\SysWOW64\tzlibfssagimy.exe upx C:\Windows\SysWOW64\qpvlivuz.exe upx behavioral1/memory/1356-78-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\tzlibfssagimy.exe upx C:\Windows\SysWOW64\tzlibfssagimy.exe upx behavioral1/memory/1728-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/872-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1588-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\qpvlivuz.exe upx C:\Windows\SysWOW64\qpvlivuz.exe upx behavioral1/memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/268-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/636-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1588-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/872-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1728-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/268-107-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/636-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe upx -
Loads dropped DLL 6 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.execmd.exeupegczlerb.exepid process 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1324 cmd.exe 1728 upegczlerb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
upegczlerb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" upegczlerb.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
krabzupepwodcor.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run krabzupepwodcor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fznmaxdh = "upegczlerb.exe" krabzupepwodcor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\djxicgkg = "krabzupepwodcor.exe" krabzupepwodcor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tzlibfssagimy.exe" krabzupepwodcor.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
qpvlivuz.exeupegczlerb.exeqpvlivuz.exedescription ioc process File opened (read-only) \??\v: qpvlivuz.exe File opened (read-only) \??\v: upegczlerb.exe File opened (read-only) \??\w: qpvlivuz.exe File opened (read-only) \??\e: qpvlivuz.exe File opened (read-only) \??\q: qpvlivuz.exe File opened (read-only) \??\f: qpvlivuz.exe File opened (read-only) \??\q: qpvlivuz.exe File opened (read-only) \??\x: qpvlivuz.exe File opened (read-only) \??\a: qpvlivuz.exe File opened (read-only) \??\b: upegczlerb.exe File opened (read-only) \??\o: qpvlivuz.exe File opened (read-only) \??\z: qpvlivuz.exe File opened (read-only) \??\h: qpvlivuz.exe File opened (read-only) \??\n: qpvlivuz.exe File opened (read-only) \??\y: qpvlivuz.exe File opened (read-only) \??\q: upegczlerb.exe File opened (read-only) \??\s: qpvlivuz.exe File opened (read-only) \??\t: upegczlerb.exe File opened (read-only) \??\g: qpvlivuz.exe File opened (read-only) \??\u: upegczlerb.exe File opened (read-only) \??\f: qpvlivuz.exe File opened (read-only) \??\w: qpvlivuz.exe File opened (read-only) \??\l: qpvlivuz.exe File opened (read-only) \??\t: qpvlivuz.exe File opened (read-only) \??\i: upegczlerb.exe File opened (read-only) \??\b: qpvlivuz.exe File opened (read-only) \??\i: qpvlivuz.exe File opened (read-only) \??\e: upegczlerb.exe File opened (read-only) \??\h: upegczlerb.exe File opened (read-only) \??\n: upegczlerb.exe File opened (read-only) \??\a: qpvlivuz.exe File opened (read-only) \??\p: qpvlivuz.exe File opened (read-only) \??\r: qpvlivuz.exe File opened (read-only) \??\m: upegczlerb.exe File opened (read-only) \??\w: upegczlerb.exe File opened (read-only) \??\x: upegczlerb.exe File opened (read-only) \??\m: qpvlivuz.exe File opened (read-only) \??\k: upegczlerb.exe File opened (read-only) \??\l: upegczlerb.exe File opened (read-only) \??\p: upegczlerb.exe File opened (read-only) \??\v: qpvlivuz.exe File opened (read-only) \??\z: qpvlivuz.exe File opened (read-only) \??\s: qpvlivuz.exe File opened (read-only) \??\a: upegczlerb.exe File opened (read-only) \??\o: upegczlerb.exe File opened (read-only) \??\s: upegczlerb.exe File opened (read-only) \??\y: upegczlerb.exe File opened (read-only) \??\z: upegczlerb.exe File opened (read-only) \??\e: qpvlivuz.exe File opened (read-only) \??\k: qpvlivuz.exe File opened (read-only) \??\b: qpvlivuz.exe File opened (read-only) \??\g: upegczlerb.exe File opened (read-only) \??\m: qpvlivuz.exe File opened (read-only) \??\n: qpvlivuz.exe File opened (read-only) \??\o: qpvlivuz.exe File opened (read-only) \??\p: qpvlivuz.exe File opened (read-only) \??\k: qpvlivuz.exe File opened (read-only) \??\t: qpvlivuz.exe File opened (read-only) \??\j: qpvlivuz.exe File opened (read-only) \??\u: qpvlivuz.exe File opened (read-only) \??\i: qpvlivuz.exe File opened (read-only) \??\l: qpvlivuz.exe File opened (read-only) \??\x: qpvlivuz.exe File opened (read-only) \??\f: upegczlerb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
upegczlerb.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" upegczlerb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" upegczlerb.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1356-78-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1728-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/872-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1588-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/268-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/636-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1588-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/872-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1728-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/268-107-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/636-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\qpvlivuz.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File created C:\Windows\SysWOW64\upegczlerb.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File opened for modification C:\Windows\SysWOW64\upegczlerb.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File created C:\Windows\SysWOW64\krabzupepwodcor.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File created C:\Windows\SysWOW64\qpvlivuz.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File opened for modification C:\Windows\SysWOW64\krabzupepwodcor.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File created C:\Windows\SysWOW64\tzlibfssagimy.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File opened for modification C:\Windows\SysWOW64\tzlibfssagimy.exe 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll upegczlerb.exe -
Drops file in Program Files directory 15 IoCs
Processes:
qpvlivuz.exeqpvlivuz.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qpvlivuz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qpvlivuz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qpvlivuz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qpvlivuz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qpvlivuz.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal qpvlivuz.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal qpvlivuz.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe qpvlivuz.exe -
Drops file in Windows directory 4 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeWINWORD.EXEdescription ioc process File opened for modification C:\Windows\mydoc.rtf 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
explorer.exeWINWORD.EXE1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768C6FE6A21ACD208D1A68A7D9162" 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" upegczlerb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" upegczlerb.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC8D482C85189141D7217E96BCEEE1335940674E6333D69D" 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat upegczlerb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1524 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exekrabzupepwodcor.exeupegczlerb.exetzlibfssagimy.exeqpvlivuz.exetzlibfssagimy.exeqpvlivuz.exepid process 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 1728 upegczlerb.exe 1728 upegczlerb.exe 1728 upegczlerb.exe 1728 upegczlerb.exe 1728 upegczlerb.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 636 qpvlivuz.exe 636 qpvlivuz.exe 636 qpvlivuz.exe 636 qpvlivuz.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
explorer.exeAUDIODG.EXEexplorer.exedescription pid process Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: 33 892 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 892 AUDIODG.EXE Token: 33 892 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 892 AUDIODG.EXE Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1568 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe Token: SeShutdownPrivilege 1596 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exekrabzupepwodcor.exetzlibfssagimy.exeqpvlivuz.exetzlibfssagimy.exeqpvlivuz.exeexplorer.exeWINWORD.EXEexplorer.exepid process 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1728 upegczlerb.exe 872 krabzupepwodcor.exe 1728 upegczlerb.exe 1728 upegczlerb.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 268 tzlibfssagimy.exe 636 qpvlivuz.exe 636 qpvlivuz.exe 636 qpvlivuz.exe 1568 explorer.exe 1568 explorer.exe 1524 WINWORD.EXE 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1524 WINWORD.EXE 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exekrabzupepwodcor.exetzlibfssagimy.exeqpvlivuz.exeexplorer.exeexplorer.exepid process 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe 1728 upegczlerb.exe 872 krabzupepwodcor.exe 1728 upegczlerb.exe 1728 upegczlerb.exe 872 krabzupepwodcor.exe 872 krabzupepwodcor.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1588 tzlibfssagimy.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 1640 qpvlivuz.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1568 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe 1596 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1524 WINWORD.EXE 1524 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exekrabzupepwodcor.execmd.exeupegczlerb.exedescription pid process target process PID 1356 wrote to memory of 1728 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe upegczlerb.exe PID 1356 wrote to memory of 1728 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe upegczlerb.exe PID 1356 wrote to memory of 1728 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe upegczlerb.exe PID 1356 wrote to memory of 1728 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe upegczlerb.exe PID 1356 wrote to memory of 872 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe krabzupepwodcor.exe PID 1356 wrote to memory of 872 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe krabzupepwodcor.exe PID 1356 wrote to memory of 872 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe krabzupepwodcor.exe PID 1356 wrote to memory of 872 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe krabzupepwodcor.exe PID 1356 wrote to memory of 1640 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe qpvlivuz.exe PID 1356 wrote to memory of 1640 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe qpvlivuz.exe PID 1356 wrote to memory of 1640 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe qpvlivuz.exe PID 1356 wrote to memory of 1640 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe qpvlivuz.exe PID 1356 wrote to memory of 1588 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe tzlibfssagimy.exe PID 1356 wrote to memory of 1588 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe tzlibfssagimy.exe PID 1356 wrote to memory of 1588 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe tzlibfssagimy.exe PID 1356 wrote to memory of 1588 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe tzlibfssagimy.exe PID 872 wrote to memory of 1324 872 krabzupepwodcor.exe cmd.exe PID 872 wrote to memory of 1324 872 krabzupepwodcor.exe cmd.exe PID 872 wrote to memory of 1324 872 krabzupepwodcor.exe cmd.exe PID 872 wrote to memory of 1324 872 krabzupepwodcor.exe cmd.exe PID 1324 wrote to memory of 268 1324 cmd.exe tzlibfssagimy.exe PID 1324 wrote to memory of 268 1324 cmd.exe tzlibfssagimy.exe PID 1324 wrote to memory of 268 1324 cmd.exe tzlibfssagimy.exe PID 1324 wrote to memory of 268 1324 cmd.exe tzlibfssagimy.exe PID 1728 wrote to memory of 636 1728 upegczlerb.exe qpvlivuz.exe PID 1728 wrote to memory of 636 1728 upegczlerb.exe qpvlivuz.exe PID 1728 wrote to memory of 636 1728 upegczlerb.exe qpvlivuz.exe PID 1728 wrote to memory of 636 1728 upegczlerb.exe qpvlivuz.exe PID 1356 wrote to memory of 1524 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe WINWORD.EXE PID 1356 wrote to memory of 1524 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe WINWORD.EXE PID 1356 wrote to memory of 1524 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe WINWORD.EXE PID 1356 wrote to memory of 1524 1356 1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe"C:\Users\Admin\AppData\Local\Temp\1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\upegczlerb.exeupegczlerb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\qpvlivuz.exeC:\Windows\system32\qpvlivuz.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\krabzupepwodcor.exekrabzupepwodcor.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c tzlibfssagimy.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tzlibfssagimy.exetzlibfssagimy.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\qpvlivuz.exeqpvlivuz.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\tzlibfssagimy.exetzlibfssagimy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5381⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
8Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
255KB
MD5405d740631b638fcb5028381bbc5666a
SHA1523680f1d169220e3c9b69e090f90ac04f672d8e
SHA256adbed03b590cec0d1ae17342b254565c36b5f05410ac0d0b710bd57e429b138f
SHA5129b6fcd56ff543ba15aa2a80b462cd71f995858ccfbe8cc936d935fca715d1f5b77dcf6e5fe83a0720ad0129a76d47c7b9d1f2052190affb5d19a356c6f817153
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
255KB
MD58a288dec15f15a4c60910235576da758
SHA158af3aed98d66d76d3e8cd2ad2a7185a128aeb5c
SHA2562d778dddffc16e4394215748523d0dcdf0042db16a0c95f0008eea527c043947
SHA51201e2c8114363a3d855ada15ce8b99df5ed28cb248a8fcad407632d635368b0ec56812cf840bab6e5fcdcd30224053983426825fe88b1bad678099c72d91b0d8b
-
C:\Windows\SysWOW64\krabzupepwodcor.exeFilesize
255KB
MD5d263e1627198577710e0a151f652c581
SHA13c2499dd745dd0c6af84fc110fb0877ae6f9492d
SHA2565678d17ffa50dba2f755a83a8002501a81f5d53a4ec6f3a4c9a0d4ee131478d1
SHA5120cbf7bd9e3649ad3df449c5e1bdcb535adafe7ef9688cbfa369a88ea45ba50842a6521098598bfd8c8d6f6f4d7120b16c6859a7c2303fb495fb0a89c94cbdec2
-
C:\Windows\SysWOW64\krabzupepwodcor.exeFilesize
255KB
MD5d263e1627198577710e0a151f652c581
SHA13c2499dd745dd0c6af84fc110fb0877ae6f9492d
SHA2565678d17ffa50dba2f755a83a8002501a81f5d53a4ec6f3a4c9a0d4ee131478d1
SHA5120cbf7bd9e3649ad3df449c5e1bdcb535adafe7ef9688cbfa369a88ea45ba50842a6521098598bfd8c8d6f6f4d7120b16c6859a7c2303fb495fb0a89c94cbdec2
-
C:\Windows\SysWOW64\qpvlivuz.exeFilesize
255KB
MD573eb07857ae308e23f81a4ca71724d17
SHA149516c048c3d86a4e0c7a481ec3e960dcab4f083
SHA2567de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791
SHA51218e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999
-
C:\Windows\SysWOW64\qpvlivuz.exeFilesize
255KB
MD573eb07857ae308e23f81a4ca71724d17
SHA149516c048c3d86a4e0c7a481ec3e960dcab4f083
SHA2567de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791
SHA51218e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999
-
C:\Windows\SysWOW64\qpvlivuz.exeFilesize
255KB
MD573eb07857ae308e23f81a4ca71724d17
SHA149516c048c3d86a4e0c7a481ec3e960dcab4f083
SHA2567de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791
SHA51218e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999
-
C:\Windows\SysWOW64\tzlibfssagimy.exeFilesize
255KB
MD5edb47b9c1dcb10a062819f074dd14a83
SHA14b09819ef5d22586061e91d2c13d0803da9915ef
SHA256624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1
SHA512e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9
-
C:\Windows\SysWOW64\tzlibfssagimy.exeFilesize
255KB
MD5edb47b9c1dcb10a062819f074dd14a83
SHA14b09819ef5d22586061e91d2c13d0803da9915ef
SHA256624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1
SHA512e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9
-
C:\Windows\SysWOW64\tzlibfssagimy.exeFilesize
255KB
MD5edb47b9c1dcb10a062819f074dd14a83
SHA14b09819ef5d22586061e91d2c13d0803da9915ef
SHA256624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1
SHA512e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9
-
C:\Windows\SysWOW64\upegczlerb.exeFilesize
255KB
MD5a628da2ecfc13a3c8de7ca6c954979db
SHA1eb538848feb2132b9bb71756926265d362be7308
SHA256e2f1a8c7c5cd4ec08e06163f21c6f721113c51a5ac60894a5db4136d711e2001
SHA51284c5a7f3e8e6096b14c991fd0e7a868e617b347d26b91e0e6597acc4d81200f4e61f29bfa1a2f517d8fdc19166566e6ab66ea2cb0db81b30c89dbb96806b38f1
-
C:\Windows\SysWOW64\upegczlerb.exeFilesize
255KB
MD5a628da2ecfc13a3c8de7ca6c954979db
SHA1eb538848feb2132b9bb71756926265d362be7308
SHA256e2f1a8c7c5cd4ec08e06163f21c6f721113c51a5ac60894a5db4136d711e2001
SHA51284c5a7f3e8e6096b14c991fd0e7a868e617b347d26b91e0e6597acc4d81200f4e61f29bfa1a2f517d8fdc19166566e6ab66ea2cb0db81b30c89dbb96806b38f1
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\krabzupepwodcor.exeFilesize
255KB
MD5d263e1627198577710e0a151f652c581
SHA13c2499dd745dd0c6af84fc110fb0877ae6f9492d
SHA2565678d17ffa50dba2f755a83a8002501a81f5d53a4ec6f3a4c9a0d4ee131478d1
SHA5120cbf7bd9e3649ad3df449c5e1bdcb535adafe7ef9688cbfa369a88ea45ba50842a6521098598bfd8c8d6f6f4d7120b16c6859a7c2303fb495fb0a89c94cbdec2
-
\Windows\SysWOW64\qpvlivuz.exeFilesize
255KB
MD573eb07857ae308e23f81a4ca71724d17
SHA149516c048c3d86a4e0c7a481ec3e960dcab4f083
SHA2567de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791
SHA51218e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999
-
\Windows\SysWOW64\qpvlivuz.exeFilesize
255KB
MD573eb07857ae308e23f81a4ca71724d17
SHA149516c048c3d86a4e0c7a481ec3e960dcab4f083
SHA2567de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791
SHA51218e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999
-
\Windows\SysWOW64\tzlibfssagimy.exeFilesize
255KB
MD5edb47b9c1dcb10a062819f074dd14a83
SHA14b09819ef5d22586061e91d2c13d0803da9915ef
SHA256624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1
SHA512e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9
-
\Windows\SysWOW64\tzlibfssagimy.exeFilesize
255KB
MD5edb47b9c1dcb10a062819f074dd14a83
SHA14b09819ef5d22586061e91d2c13d0803da9915ef
SHA256624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1
SHA512e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9
-
\Windows\SysWOW64\upegczlerb.exeFilesize
255KB
MD5a628da2ecfc13a3c8de7ca6c954979db
SHA1eb538848feb2132b9bb71756926265d362be7308
SHA256e2f1a8c7c5cd4ec08e06163f21c6f721113c51a5ac60894a5db4136d711e2001
SHA51284c5a7f3e8e6096b14c991fd0e7a868e617b347d26b91e0e6597acc4d81200f4e61f29bfa1a2f517d8fdc19166566e6ab66ea2cb0db81b30c89dbb96806b38f1
-
memory/268-94-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/268-77-0x0000000000000000-mapping.dmp
-
memory/268-107-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/636-95-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/636-108-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/636-87-0x0000000000000000-mapping.dmp
-
memory/872-83-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/872-60-0x0000000000000000-mapping.dmp
-
memory/872-104-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1324-75-0x0000000000000000-mapping.dmp
-
memory/1356-81-0x0000000002EE0000-0x0000000002F80000-memory.dmpFilesize
640KB
-
memory/1356-78-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1356-54-0x0000000076711000-0x0000000076713000-memory.dmpFilesize
8KB
-
memory/1524-90-0x0000000000000000-mapping.dmp
-
memory/1524-93-0x0000000070951000-0x0000000070953000-memory.dmpFilesize
8KB
-
memory/1524-92-0x0000000072ED1000-0x0000000072ED4000-memory.dmpFilesize
12KB
-
memory/1524-96-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1524-109-0x000000007193D000-0x0000000071948000-memory.dmpFilesize
44KB
-
memory/1524-99-0x000000007193D000-0x0000000071948000-memory.dmpFilesize
44KB
-
memory/1524-101-0x000000006BE51000-0x000000006BE53000-memory.dmpFilesize
8KB
-
memory/1524-102-0x000000006BCE1000-0x000000006BCE3000-memory.dmpFilesize
8KB
-
memory/1568-100-0x000007FEFB601000-0x000007FEFB603000-memory.dmpFilesize
8KB
-
memory/1588-106-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1588-85-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1588-70-0x0000000000000000-mapping.dmp
-
memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1640-66-0x0000000000000000-mapping.dmp
-
memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1728-82-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1728-103-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1728-56-0x0000000000000000-mapping.dmp