1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
Size

255KB
MD5

4ed00b378e088fe0b54b0e2096a6ba92
SHA1

eb908caa6b99f0e7f3bfd8dff93449f489c95a98
SHA256

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531
SHA512

45ec6f62d8b2e95696df53bf6edc86559b99672d13131064279db0def37c124062fad8bc192569165fe1d49c59df878e541b1918780223d3b8b33da3a002e6b8
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJp:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIo

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

upegczlerb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	upegczlerb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

upegczlerb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	upegczlerb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

upegczlerb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	upegczlerb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

upegczlerb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	upegczlerb.exe

Executes dropped EXE 6 IoCs

Processes:

upegczlerb.exekrabzupepwodcor.exeqpvlivuz.exetzlibfssagimy.exetzlibfssagimy.exeqpvlivuz.exe

pid process

1728 upegczlerb.exe
872 krabzupepwodcor.exe
1640 qpvlivuz.exe
1588 tzlibfssagimy.exe
268 tzlibfssagimy.exe
636 qpvlivuz.exe

pid	process
1728	upegczlerb.exe
872	krabzupepwodcor.exe
1640	qpvlivuz.exe
1588	tzlibfssagimy.exe
268	tzlibfssagimy.exe
636	qpvlivuz.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\upegczlerb.exe	upx
C:\Windows\SysWOW64\upegczlerb.exe	upx
\Windows\SysWOW64\krabzupepwodcor.exe	upx
C:\Windows\SysWOW64\krabzupepwodcor.exe	upx
C:\Windows\SysWOW64\upegczlerb.exe	upx
C:\Windows\SysWOW64\krabzupepwodcor.exe	upx
\Windows\SysWOW64\qpvlivuz.exe	upx
C:\Windows\SysWOW64\qpvlivuz.exe	upx
\Windows\SysWOW64\tzlibfssagimy.exe	upx
C:\Windows\SysWOW64\tzlibfssagimy.exe	upx
C:\Windows\SysWOW64\tzlibfssagimy.exe	upx
C:\Windows\SysWOW64\qpvlivuz.exe	upx
behavioral1/memory/1356-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\tzlibfssagimy.exe	upx
C:\Windows\SysWOW64\tzlibfssagimy.exe	upx
behavioral1/memory/1728-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/872-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1588-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\qpvlivuz.exe	upx
C:\Windows\SysWOW64\qpvlivuz.exe	upx
behavioral1/memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/268-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/636-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1588-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/872-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1728-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/268-107-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/636-108-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx

Loads dropped DLL 6 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.execmd.exeupegczlerb.exe

pid	process
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1324	cmd.exe
1728	upegczlerb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

upegczlerb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	upegczlerb.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

krabzupepwodcor.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	krabzupepwodcor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fznmaxdh = "upegczlerb.exe"	krabzupepwodcor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\djxicgkg = "krabzupepwodcor.exe"	krabzupepwodcor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "tzlibfssagimy.exe"	krabzupepwodcor.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

qpvlivuz.exeupegczlerb.exeqpvlivuz.exe

description	ioc	process
File opened (read-only)	\??\v:	qpvlivuz.exe
File opened (read-only)	\??\v:	upegczlerb.exe
File opened (read-only)	\??\w:	qpvlivuz.exe
File opened (read-only)	\??\e:	qpvlivuz.exe
File opened (read-only)	\??\q:	qpvlivuz.exe
File opened (read-only)	\??\f:	qpvlivuz.exe
File opened (read-only)	\??\q:	qpvlivuz.exe
File opened (read-only)	\??\x:	qpvlivuz.exe
File opened (read-only)	\??\a:	qpvlivuz.exe
File opened (read-only)	\??\b:	upegczlerb.exe
File opened (read-only)	\??\o:	qpvlivuz.exe
File opened (read-only)	\??\z:	qpvlivuz.exe
File opened (read-only)	\??\h:	qpvlivuz.exe
File opened (read-only)	\??\n:	qpvlivuz.exe
File opened (read-only)	\??\y:	qpvlivuz.exe
File opened (read-only)	\??\q:	upegczlerb.exe
File opened (read-only)	\??\s:	qpvlivuz.exe
File opened (read-only)	\??\t:	upegczlerb.exe
File opened (read-only)	\??\g:	qpvlivuz.exe
File opened (read-only)	\??\u:	upegczlerb.exe
File opened (read-only)	\??\f:	qpvlivuz.exe
File opened (read-only)	\??\w:	qpvlivuz.exe
File opened (read-only)	\??\l:	qpvlivuz.exe
File opened (read-only)	\??\t:	qpvlivuz.exe
File opened (read-only)	\??\i:	upegczlerb.exe
File opened (read-only)	\??\b:	qpvlivuz.exe
File opened (read-only)	\??\i:	qpvlivuz.exe
File opened (read-only)	\??\e:	upegczlerb.exe
File opened (read-only)	\??\h:	upegczlerb.exe
File opened (read-only)	\??\n:	upegczlerb.exe
File opened (read-only)	\??\a:	qpvlivuz.exe
File opened (read-only)	\??\p:	qpvlivuz.exe
File opened (read-only)	\??\r:	qpvlivuz.exe
File opened (read-only)	\??\m:	upegczlerb.exe
File opened (read-only)	\??\w:	upegczlerb.exe
File opened (read-only)	\??\x:	upegczlerb.exe
File opened (read-only)	\??\m:	qpvlivuz.exe
File opened (read-only)	\??\k:	upegczlerb.exe
File opened (read-only)	\??\l:	upegczlerb.exe
File opened (read-only)	\??\p:	upegczlerb.exe
File opened (read-only)	\??\v:	qpvlivuz.exe
File opened (read-only)	\??\z:	qpvlivuz.exe
File opened (read-only)	\??\s:	qpvlivuz.exe
File opened (read-only)	\??\a:	upegczlerb.exe
File opened (read-only)	\??\o:	upegczlerb.exe
File opened (read-only)	\??\s:	upegczlerb.exe
File opened (read-only)	\??\y:	upegczlerb.exe
File opened (read-only)	\??\z:	upegczlerb.exe
File opened (read-only)	\??\e:	qpvlivuz.exe
File opened (read-only)	\??\k:	qpvlivuz.exe
File opened (read-only)	\??\b:	qpvlivuz.exe
File opened (read-only)	\??\g:	upegczlerb.exe
File opened (read-only)	\??\m:	qpvlivuz.exe
File opened (read-only)	\??\n:	qpvlivuz.exe
File opened (read-only)	\??\o:	qpvlivuz.exe
File opened (read-only)	\??\p:	qpvlivuz.exe
File opened (read-only)	\??\k:	qpvlivuz.exe
File opened (read-only)	\??\t:	qpvlivuz.exe
File opened (read-only)	\??\j:	qpvlivuz.exe
File opened (read-only)	\??\u:	qpvlivuz.exe
File opened (read-only)	\??\i:	qpvlivuz.exe
File opened (read-only)	\??\l:	qpvlivuz.exe
File opened (read-only)	\??\x:	qpvlivuz.exe
File opened (read-only)	\??\f:	upegczlerb.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

upegczlerb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	upegczlerb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	upegczlerb.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1356-78-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1728-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/872-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1588-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/268-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/636-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1588-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/872-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1728-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/268-107-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/636-108-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\qpvlivuz.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File created	C:\Windows\SysWOW64\upegczlerb.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File opened for modification	C:\Windows\SysWOW64\upegczlerb.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File created	C:\Windows\SysWOW64\krabzupepwodcor.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File created	C:\Windows\SysWOW64\qpvlivuz.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File opened for modification	C:\Windows\SysWOW64\krabzupepwodcor.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File created	C:\Windows\SysWOW64\tzlibfssagimy.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File opened for modification	C:\Windows\SysWOW64\tzlibfssagimy.exe	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	upegczlerb.exe

Drops file in Program Files directory 15 IoCs

Processes:

qpvlivuz.exeqpvlivuz.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qpvlivuz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qpvlivuz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	qpvlivuz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	qpvlivuz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qpvlivuz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	qpvlivuz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	qpvlivuz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	qpvlivuz.exe

Drops file in Windows directory 4 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

explorer.exeWINWORD.EXE1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F768C6FE6A21ACD208D1A68A7D9162"	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	upegczlerb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	upegczlerb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FC8D482C85189141D7217E96BCEEE1335940674E6333D69D"	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	upegczlerb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1524 WINWORD.EXE

pid	process
1524	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exekrabzupepwodcor.exeupegczlerb.exetzlibfssagimy.exeqpvlivuz.exetzlibfssagimy.exeqpvlivuz.exe

pid	process
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
1728	upegczlerb.exe
1728	upegczlerb.exe
1728	upegczlerb.exe
1728	upegczlerb.exe
1728	upegczlerb.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
636	qpvlivuz.exe
636	qpvlivuz.exe
636	qpvlivuz.exe
636	qpvlivuz.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

explorer.exeAUDIODG.EXEexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: 33	892	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	892	AUDIODG.EXE
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe
Token: SeShutdownPrivilege	1596	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exekrabzupepwodcor.exetzlibfssagimy.exeqpvlivuz.exetzlibfssagimy.exeqpvlivuz.exeexplorer.exeWINWORD.EXEexplorer.exe

pid	process
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1728	upegczlerb.exe
872	krabzupepwodcor.exe
1728	upegczlerb.exe
1728	upegczlerb.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
268	tzlibfssagimy.exe
636	qpvlivuz.exe
636	qpvlivuz.exe
636	qpvlivuz.exe
1568	explorer.exe
1568	explorer.exe
1524	WINWORD.EXE
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1524	WINWORD.EXE
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exeupegczlerb.exekrabzupepwodcor.exetzlibfssagimy.exeqpvlivuz.exeexplorer.exeexplorer.exe

pid	process
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
1728	upegczlerb.exe
872	krabzupepwodcor.exe
1728	upegczlerb.exe
1728	upegczlerb.exe
872	krabzupepwodcor.exe
872	krabzupepwodcor.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1588	tzlibfssagimy.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
1640	qpvlivuz.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe
1596	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1524 WINWORD.EXE
1524 WINWORD.EXE

pid	process
1524	WINWORD.EXE
1524	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exekrabzupepwodcor.execmd.exeupegczlerb.exe

description	pid	process	target process
PID 1356 wrote to memory of 1728	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	upegczlerb.exe
PID 1356 wrote to memory of 1728	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	upegczlerb.exe
PID 1356 wrote to memory of 1728	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	upegczlerb.exe
PID 1356 wrote to memory of 1728	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	upegczlerb.exe
PID 1356 wrote to memory of 872	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	krabzupepwodcor.exe
PID 1356 wrote to memory of 872	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	krabzupepwodcor.exe
PID 1356 wrote to memory of 872	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	krabzupepwodcor.exe
PID 1356 wrote to memory of 872	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	krabzupepwodcor.exe
PID 1356 wrote to memory of 1640	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	qpvlivuz.exe
PID 1356 wrote to memory of 1640	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	qpvlivuz.exe
PID 1356 wrote to memory of 1640	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	qpvlivuz.exe
PID 1356 wrote to memory of 1640	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	qpvlivuz.exe
PID 1356 wrote to memory of 1588	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	tzlibfssagimy.exe
PID 1356 wrote to memory of 1588	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	tzlibfssagimy.exe
PID 1356 wrote to memory of 1588	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	tzlibfssagimy.exe
PID 1356 wrote to memory of 1588	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	tzlibfssagimy.exe
PID 872 wrote to memory of 1324	872	krabzupepwodcor.exe	cmd.exe
PID 872 wrote to memory of 1324	872	krabzupepwodcor.exe	cmd.exe
PID 872 wrote to memory of 1324	872	krabzupepwodcor.exe	cmd.exe
PID 872 wrote to memory of 1324	872	krabzupepwodcor.exe	cmd.exe
PID 1324 wrote to memory of 268	1324	cmd.exe	tzlibfssagimy.exe
PID 1324 wrote to memory of 268	1324	cmd.exe	tzlibfssagimy.exe
PID 1324 wrote to memory of 268	1324	cmd.exe	tzlibfssagimy.exe
PID 1324 wrote to memory of 268	1324	cmd.exe	tzlibfssagimy.exe
PID 1728 wrote to memory of 636	1728	upegczlerb.exe	qpvlivuz.exe
PID 1728 wrote to memory of 636	1728	upegczlerb.exe	qpvlivuz.exe
PID 1728 wrote to memory of 636	1728	upegczlerb.exe	qpvlivuz.exe
PID 1728 wrote to memory of 636	1728	upegczlerb.exe	qpvlivuz.exe
PID 1356 wrote to memory of 1524	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	WINWORD.EXE
PID 1356 wrote to memory of 1524	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	WINWORD.EXE
PID 1356 wrote to memory of 1524	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	WINWORD.EXE
PID 1356 wrote to memory of 1524	1356	1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe
"C:\Users\Admin\AppData\Local\Temp\1171030265f35b3c24b2dac53494b7fb69edd28dff69ea7bf53bead80642d531.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\upegczlerb.exe
upegczlerb.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\qpvlivuz.exe
C:\Windows\system32\qpvlivuz.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:636

C:\Windows\SysWOW64\krabzupepwodcor.exe
krabzupepwodcor.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c tzlibfssagimy.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\tzlibfssagimy.exe
tzlibfssagimy.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:268

C:\Windows\SysWOW64\qpvlivuz.exe
qpvlivuz.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1640

C:\Windows\SysWOW64\tzlibfssagimy.exe
tzlibfssagimy.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1588

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x538
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1596

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
255KB

MD5
405d740631b638fcb5028381bbc5666a

SHA1
523680f1d169220e3c9b69e090f90ac04f672d8e

SHA256
adbed03b590cec0d1ae17342b254565c36b5f05410ac0d0b710bd57e429b138f

SHA512
9b6fcd56ff543ba15aa2a80b462cd71f995858ccfbe8cc936d935fca715d1f5b77dcf6e5fe83a0720ad0129a76d47c7b9d1f2052190affb5d19a356c6f817153

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
255KB

MD5
8a288dec15f15a4c60910235576da758

SHA1
58af3aed98d66d76d3e8cd2ad2a7185a128aeb5c

SHA256
2d778dddffc16e4394215748523d0dcdf0042db16a0c95f0008eea527c043947

SHA512
01e2c8114363a3d855ada15ce8b99df5ed28cb248a8fcad407632d635368b0ec56812cf840bab6e5fcdcd30224053983426825fe88b1bad678099c72d91b0d8b

Download Submit
C:\Windows\SysWOW64\krabzupepwodcor.exe
Filesize
255KB

MD5
d263e1627198577710e0a151f652c581

SHA1
3c2499dd745dd0c6af84fc110fb0877ae6f9492d

SHA256
5678d17ffa50dba2f755a83a8002501a81f5d53a4ec6f3a4c9a0d4ee131478d1

SHA512
0cbf7bd9e3649ad3df449c5e1bdcb535adafe7ef9688cbfa369a88ea45ba50842a6521098598bfd8c8d6f6f4d7120b16c6859a7c2303fb495fb0a89c94cbdec2

Download Submit
C:\Windows\SysWOW64\krabzupepwodcor.exe
Filesize
255KB

MD5
d263e1627198577710e0a151f652c581

SHA1
3c2499dd745dd0c6af84fc110fb0877ae6f9492d

SHA256
5678d17ffa50dba2f755a83a8002501a81f5d53a4ec6f3a4c9a0d4ee131478d1

SHA512
0cbf7bd9e3649ad3df449c5e1bdcb535adafe7ef9688cbfa369a88ea45ba50842a6521098598bfd8c8d6f6f4d7120b16c6859a7c2303fb495fb0a89c94cbdec2

Download Submit
C:\Windows\SysWOW64\qpvlivuz.exe
Filesize
255KB

MD5
73eb07857ae308e23f81a4ca71724d17

SHA1
49516c048c3d86a4e0c7a481ec3e960dcab4f083

SHA256
7de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791

SHA512
18e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999

Download Submit
C:\Windows\SysWOW64\qpvlivuz.exe
Filesize
255KB

MD5
73eb07857ae308e23f81a4ca71724d17

SHA1
49516c048c3d86a4e0c7a481ec3e960dcab4f083

SHA256
7de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791

SHA512
18e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999

Download Submit
C:\Windows\SysWOW64\qpvlivuz.exe
Filesize
255KB

MD5
73eb07857ae308e23f81a4ca71724d17

SHA1
49516c048c3d86a4e0c7a481ec3e960dcab4f083

SHA256
7de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791

SHA512
18e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999

Download Submit
C:\Windows\SysWOW64\tzlibfssagimy.exe
Filesize
255KB

MD5
edb47b9c1dcb10a062819f074dd14a83

SHA1
4b09819ef5d22586061e91d2c13d0803da9915ef

SHA256
624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1

SHA512
e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9

Download Submit
C:\Windows\SysWOW64\tzlibfssagimy.exe
Filesize
255KB

MD5
edb47b9c1dcb10a062819f074dd14a83

SHA1
4b09819ef5d22586061e91d2c13d0803da9915ef

SHA256
624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1

SHA512
e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9

Download Submit
C:\Windows\SysWOW64\tzlibfssagimy.exe
Filesize
255KB

MD5
edb47b9c1dcb10a062819f074dd14a83

SHA1
4b09819ef5d22586061e91d2c13d0803da9915ef

SHA256
624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1

SHA512
e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9

Download Submit
C:\Windows\SysWOW64\upegczlerb.exe
Filesize
255KB

MD5
a628da2ecfc13a3c8de7ca6c954979db

SHA1
eb538848feb2132b9bb71756926265d362be7308

SHA256
e2f1a8c7c5cd4ec08e06163f21c6f721113c51a5ac60894a5db4136d711e2001

SHA512
84c5a7f3e8e6096b14c991fd0e7a868e617b347d26b91e0e6597acc4d81200f4e61f29bfa1a2f517d8fdc19166566e6ab66ea2cb0db81b30c89dbb96806b38f1

Download Submit
C:\Windows\SysWOW64\upegczlerb.exe
Filesize
255KB

MD5
a628da2ecfc13a3c8de7ca6c954979db

SHA1
eb538848feb2132b9bb71756926265d362be7308

SHA256
e2f1a8c7c5cd4ec08e06163f21c6f721113c51a5ac60894a5db4136d711e2001

SHA512
84c5a7f3e8e6096b14c991fd0e7a868e617b347d26b91e0e6597acc4d81200f4e61f29bfa1a2f517d8fdc19166566e6ab66ea2cb0db81b30c89dbb96806b38f1

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\krabzupepwodcor.exe
Filesize
255KB

MD5
d263e1627198577710e0a151f652c581

SHA1
3c2499dd745dd0c6af84fc110fb0877ae6f9492d

SHA256
5678d17ffa50dba2f755a83a8002501a81f5d53a4ec6f3a4c9a0d4ee131478d1

SHA512
0cbf7bd9e3649ad3df449c5e1bdcb535adafe7ef9688cbfa369a88ea45ba50842a6521098598bfd8c8d6f6f4d7120b16c6859a7c2303fb495fb0a89c94cbdec2

Download Submit
\Windows\SysWOW64\qpvlivuz.exe
Filesize
255KB

MD5
73eb07857ae308e23f81a4ca71724d17

SHA1
49516c048c3d86a4e0c7a481ec3e960dcab4f083

SHA256
7de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791

SHA512
18e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999

Download Submit
\Windows\SysWOW64\qpvlivuz.exe
Filesize
255KB

MD5
73eb07857ae308e23f81a4ca71724d17

SHA1
49516c048c3d86a4e0c7a481ec3e960dcab4f083

SHA256
7de19014444ea6a31321e993028d35ba04c14b107ac61e391cac3a1000031791

SHA512
18e5916f6c3d439e2fb3726c50925ec573d025548afddbd3dfee978dca61a5be71b0138de8b48772ff2401bedacf20171c419b9f367b2392d571ddf473492999

Download Submit
\Windows\SysWOW64\tzlibfssagimy.exe
Filesize
255KB

MD5
edb47b9c1dcb10a062819f074dd14a83

SHA1
4b09819ef5d22586061e91d2c13d0803da9915ef

SHA256
624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1

SHA512
e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9

Download Submit
\Windows\SysWOW64\tzlibfssagimy.exe
Filesize
255KB

MD5
edb47b9c1dcb10a062819f074dd14a83

SHA1
4b09819ef5d22586061e91d2c13d0803da9915ef

SHA256
624144d03777f1435bbd77c20d15c9d94772d01ae96708f1e43f45cb641d30a1

SHA512
e2290b971fbf348dea339f6e0d2dce2ab44d854547b99fb01ea3ec3e4441a9a62a25d30489597d3291abb7ad855c152a33bb7b23a8fe3469f3248d8d8cbebee9

Download Submit
\Windows\SysWOW64\upegczlerb.exe
Filesize
255KB

MD5
a628da2ecfc13a3c8de7ca6c954979db

SHA1
eb538848feb2132b9bb71756926265d362be7308

SHA256
e2f1a8c7c5cd4ec08e06163f21c6f721113c51a5ac60894a5db4136d711e2001

SHA512
84c5a7f3e8e6096b14c991fd0e7a868e617b347d26b91e0e6597acc4d81200f4e61f29bfa1a2f517d8fdc19166566e6ab66ea2cb0db81b30c89dbb96806b38f1

Download Submit
memory/268-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/268-77-0x0000000000000000-mapping.dmp

Download
memory/268-107-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/636-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/636-108-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/636-87-0x0000000000000000-mapping.dmp

Download
memory/872-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/872-60-0x0000000000000000-mapping.dmp

Download
memory/872-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1324-75-0x0000000000000000-mapping.dmp

Download
memory/1356-81-0x0000000002EE0000-0x0000000002F80000-memory.dmp

Filesize
640KB

Download
memory/1356-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1356-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1356-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1524-90-0x0000000000000000-mapping.dmp

Download
memory/1524-93-0x0000000070951000-0x0000000070953000-memory.dmp

Filesize
8KB

Download
memory/1524-92-0x0000000072ED1000-0x0000000072ED4000-memory.dmp

Filesize
12KB

Download
memory/1524-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1524-109-0x000000007193D000-0x0000000071948000-memory.dmp

Filesize
44KB

Download
memory/1524-99-0x000000007193D000-0x0000000071948000-memory.dmp

Filesize
44KB

Download
memory/1524-101-0x000000006BE51000-0x000000006BE53000-memory.dmp

Filesize
8KB

Download
memory/1524-102-0x000000006BCE1000-0x000000006BCE3000-memory.dmp

Filesize
8KB

Download
memory/1568-100-0x000007FEFB601000-0x000007FEFB603000-memory.dmp

Filesize
8KB

Download
memory/1588-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1588-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1588-70-0x0000000000000000-mapping.dmp

Download
memory/1640-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1640-66-0x0000000000000000-mapping.dmp

Download
memory/1640-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1728-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1728-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1728-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads