10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5

Analysis

max time kernel
205s
max time network
65s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
Size

255KB
MD5

5824a9cd18620b9cc5c6886bc28cc1e5
SHA1

5fb227dedcd3e171b466da68487fb2606795547c
SHA256

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5
SHA512

77780a7393eb5dab9fa9aa8a56b1711ee13e34ed396fad5b6c2b8ea961c4e3300ec7fa1b6d44d15ad42e095da826c6d8cfafabad531e399121c377ed3c755036
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJ0:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIJ

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

elvnluemov.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	elvnluemov.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

elvnluemov.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	elvnluemov.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

elvnluemov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	elvnluemov.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

elvnluemov.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	elvnluemov.exe

Executes dropped EXE 5 IoCs

Processes:

elvnluemov.exeynngljkgdhrgqnu.exejxwbbuvi.exerlrbnotwmehkk.exejxwbbuvi.exe

pid process

1052 elvnluemov.exe
672 ynngljkgdhrgqnu.exe
584 jxwbbuvi.exe
1544 rlrbnotwmehkk.exe
1352 jxwbbuvi.exe

pid	process
1052	elvnluemov.exe
672	ynngljkgdhrgqnu.exe
584	jxwbbuvi.exe
1544	rlrbnotwmehkk.exe
1352	jxwbbuvi.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1252-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\elvnluemov.exe	upx
behavioral1/memory/1252-57-0x00000000032F0000-0x0000000003390000-memory.dmp	upx
C:\Windows\SysWOW64\elvnluemov.exe	upx
\Windows\SysWOW64\ynngljkgdhrgqnu.exe	upx
C:\Windows\SysWOW64\elvnluemov.exe	upx
C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe	upx
\Windows\SysWOW64\jxwbbuvi.exe	upx
C:\Windows\SysWOW64\jxwbbuvi.exe	upx
\Windows\SysWOW64\rlrbnotwmehkk.exe	upx
C:\Windows\SysWOW64\rlrbnotwmehkk.exe	upx
C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe	upx
C:\Windows\SysWOW64\jxwbbuvi.exe	upx
C:\Windows\SysWOW64\rlrbnotwmehkk.exe	upx
\Windows\SysWOW64\jxwbbuvi.exe	upx
C:\Windows\SysWOW64\jxwbbuvi.exe	upx
behavioral1/memory/1052-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/672-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1544-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1352-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/584-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1252-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1052-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/672-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/584-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1544-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1352-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx

Loads dropped DLL 5 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeelvnluemov.exe

pid	process
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1052	elvnluemov.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

elvnluemov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	elvnluemov.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ynngljkgdhrgqnu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yvaonwjt = "ynngljkgdhrgqnu.exe"	ynngljkgdhrgqnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rlrbnotwmehkk.exe"	ynngljkgdhrgqnu.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ynngljkgdhrgqnu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jybxteti = "elvnluemov.exe"	ynngljkgdhrgqnu.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

jxwbbuvi.exeelvnluemov.exejxwbbuvi.exe

description	ioc	process
File opened (read-only)	\??\o:	jxwbbuvi.exe
File opened (read-only)	\??\w:	jxwbbuvi.exe
File opened (read-only)	\??\u:	elvnluemov.exe
File opened (read-only)	\??\n:	jxwbbuvi.exe
File opened (read-only)	\??\s:	jxwbbuvi.exe
File opened (read-only)	\??\b:	elvnluemov.exe
File opened (read-only)	\??\e:	elvnluemov.exe
File opened (read-only)	\??\q:	elvnluemov.exe
File opened (read-only)	\??\l:	jxwbbuvi.exe
File opened (read-only)	\??\h:	elvnluemov.exe
File opened (read-only)	\??\n:	jxwbbuvi.exe
File opened (read-only)	\??\x:	jxwbbuvi.exe
File opened (read-only)	\??\b:	jxwbbuvi.exe
File opened (read-only)	\??\j:	elvnluemov.exe
File opened (read-only)	\??\v:	elvnluemov.exe
File opened (read-only)	\??\o:	jxwbbuvi.exe
File opened (read-only)	\??\r:	jxwbbuvi.exe
File opened (read-only)	\??\u:	jxwbbuvi.exe
File opened (read-only)	\??\g:	jxwbbuvi.exe
File opened (read-only)	\??\k:	jxwbbuvi.exe
File opened (read-only)	\??\z:	jxwbbuvi.exe
File opened (read-only)	\??\k:	elvnluemov.exe
File opened (read-only)	\??\t:	elvnluemov.exe
File opened (read-only)	\??\s:	jxwbbuvi.exe
File opened (read-only)	\??\t:	jxwbbuvi.exe
File opened (read-only)	\??\i:	elvnluemov.exe
File opened (read-only)	\??\m:	elvnluemov.exe
File opened (read-only)	\??\z:	elvnluemov.exe
File opened (read-only)	\??\z:	jxwbbuvi.exe
File opened (read-only)	\??\i:	jxwbbuvi.exe
File opened (read-only)	\??\j:	jxwbbuvi.exe
File opened (read-only)	\??\f:	elvnluemov.exe
File opened (read-only)	\??\g:	jxwbbuvi.exe
File opened (read-only)	\??\i:	jxwbbuvi.exe
File opened (read-only)	\??\f:	jxwbbuvi.exe
File opened (read-only)	\??\t:	jxwbbuvi.exe
File opened (read-only)	\??\a:	elvnluemov.exe
File opened (read-only)	\??\a:	jxwbbuvi.exe
File opened (read-only)	\??\k:	jxwbbuvi.exe
File opened (read-only)	\??\v:	jxwbbuvi.exe
File opened (read-only)	\??\w:	jxwbbuvi.exe
File opened (read-only)	\??\h:	jxwbbuvi.exe
File opened (read-only)	\??\x:	jxwbbuvi.exe
File opened (read-only)	\??\y:	jxwbbuvi.exe
File opened (read-only)	\??\l:	jxwbbuvi.exe
File opened (read-only)	\??\g:	elvnluemov.exe
File opened (read-only)	\??\r:	elvnluemov.exe
File opened (read-only)	\??\w:	elvnluemov.exe
File opened (read-only)	\??\o:	elvnluemov.exe
File opened (read-only)	\??\x:	elvnluemov.exe
File opened (read-only)	\??\y:	elvnluemov.exe
File opened (read-only)	\??\e:	jxwbbuvi.exe
File opened (read-only)	\??\h:	jxwbbuvi.exe
File opened (read-only)	\??\l:	elvnluemov.exe
File opened (read-only)	\??\m:	jxwbbuvi.exe
File opened (read-only)	\??\u:	jxwbbuvi.exe
File opened (read-only)	\??\n:	elvnluemov.exe
File opened (read-only)	\??\y:	jxwbbuvi.exe
File opened (read-only)	\??\a:	jxwbbuvi.exe
File opened (read-only)	\??\r:	jxwbbuvi.exe
File opened (read-only)	\??\v:	jxwbbuvi.exe
File opened (read-only)	\??\m:	jxwbbuvi.exe
File opened (read-only)	\??\p:	jxwbbuvi.exe
File opened (read-only)	\??\q:	jxwbbuvi.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

elvnluemov.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	elvnluemov.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	elvnluemov.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1252-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1052-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/672-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1544-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1352-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/584-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1252-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1052-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/672-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/584-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1544-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1352-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeelvnluemov.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\rlrbnotwmehkk.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	elvnluemov.exe
File created	C:\Windows\SysWOW64\jxwbbuvi.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File created	C:\Windows\SysWOW64\rlrbnotwmehkk.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File created	C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File opened for modification	C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File opened for modification	C:\Windows\SysWOW64\jxwbbuvi.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File created	C:\Windows\SysWOW64\elvnluemov.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File opened for modification	C:\Windows\SysWOW64\elvnluemov.exe	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe

Drops file in Program Files directory 15 IoCs

Processes:

jxwbbuvi.exejxwbbuvi.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jxwbbuvi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jxwbbuvi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jxwbbuvi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jxwbbuvi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	jxwbbuvi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jxwbbuvi.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	jxwbbuvi.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	jxwbbuvi.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	jxwbbuvi.exe

Drops file in Windows directory 4 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEelvnluemov.exe10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	elvnluemov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068C3FE6622D0D10FD0D28B7D9163"	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	elvnluemov.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	elvnluemov.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	elvnluemov.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	elvnluemov.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	elvnluemov.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1640 WINWORD.EXE

pid	process
1640	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeelvnluemov.exejxwbbuvi.exerlrbnotwmehkk.exeynngljkgdhrgqnu.exejxwbbuvi.exe

pid	process
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
1352	jxwbbuvi.exe
1352	jxwbbuvi.exe
1352	jxwbbuvi.exe
1352	jxwbbuvi.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: 33	560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	560	AUDIODG.EXE
Token: 33	560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	560	AUDIODG.EXE
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe
Token: SeShutdownPrivilege	1056	explorer.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeelvnluemov.exejxwbbuvi.exeynngljkgdhrgqnu.exerlrbnotwmehkk.exeexplorer.exejxwbbuvi.exe

pid	process
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1352	jxwbbuvi.exe
1056	explorer.exe
1056	explorer.exe
1352	jxwbbuvi.exe
1352	jxwbbuvi.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeelvnluemov.exejxwbbuvi.exeynngljkgdhrgqnu.exerlrbnotwmehkk.exejxwbbuvi.exeexplorer.exe

pid	process
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
1052	elvnluemov.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
584	jxwbbuvi.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
672	ynngljkgdhrgqnu.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1544	rlrbnotwmehkk.exe
1352	jxwbbuvi.exe
1056	explorer.exe
1352	jxwbbuvi.exe
1352	jxwbbuvi.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe
1056	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1640 WINWORD.EXE
1640 WINWORD.EXE

pid	process
1640	WINWORD.EXE
1640	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exeelvnluemov.exeWINWORD.EXE

description	pid	process	target process
PID 1252 wrote to memory of 1052	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	elvnluemov.exe
PID 1252 wrote to memory of 1052	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	elvnluemov.exe
PID 1252 wrote to memory of 1052	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	elvnluemov.exe
PID 1252 wrote to memory of 1052	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	elvnluemov.exe
PID 1252 wrote to memory of 672	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	ynngljkgdhrgqnu.exe
PID 1252 wrote to memory of 672	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	ynngljkgdhrgqnu.exe
PID 1252 wrote to memory of 672	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	ynngljkgdhrgqnu.exe
PID 1252 wrote to memory of 672	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	ynngljkgdhrgqnu.exe
PID 1252 wrote to memory of 584	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	jxwbbuvi.exe
PID 1252 wrote to memory of 584	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	jxwbbuvi.exe
PID 1252 wrote to memory of 584	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	jxwbbuvi.exe
PID 1252 wrote to memory of 584	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	jxwbbuvi.exe
PID 1252 wrote to memory of 1544	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	rlrbnotwmehkk.exe
PID 1252 wrote to memory of 1544	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	rlrbnotwmehkk.exe
PID 1252 wrote to memory of 1544	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	rlrbnotwmehkk.exe
PID 1252 wrote to memory of 1544	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	rlrbnotwmehkk.exe
PID 1052 wrote to memory of 1352	1052	elvnluemov.exe	jxwbbuvi.exe
PID 1052 wrote to memory of 1352	1052	elvnluemov.exe	jxwbbuvi.exe
PID 1052 wrote to memory of 1352	1052	elvnluemov.exe	jxwbbuvi.exe
PID 1052 wrote to memory of 1352	1052	elvnluemov.exe	jxwbbuvi.exe
PID 1252 wrote to memory of 1640	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	WINWORD.EXE
PID 1252 wrote to memory of 1640	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	WINWORD.EXE
PID 1252 wrote to memory of 1640	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	WINWORD.EXE
PID 1252 wrote to memory of 1640	1252	10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe	WINWORD.EXE
PID 1640 wrote to memory of 628	1640	WINWORD.EXE	splwow64.exe
PID 1640 wrote to memory of 628	1640	WINWORD.EXE	splwow64.exe
PID 1640 wrote to memory of 628	1640	WINWORD.EXE	splwow64.exe
PID 1640 wrote to memory of 628	1640	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe
"C:\Users\Admin\AppData\Local\Temp\10c0f72340f006207f4acdeb8adf674b4abfcbcd95cd4782d1907e72d7dad4e5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\elvnluemov.exe
elvnluemov.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\jxwbbuvi.exe
C:\Windows\system32\jxwbbuvi.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352

C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe
ynngljkgdhrgqnu.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:672

C:\Windows\SysWOW64\jxwbbuvi.exe
jxwbbuvi.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:584

C:\Windows\SysWOW64\rlrbnotwmehkk.exe
rlrbnotwmehkk.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1544

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
255KB

MD5
66a5681009a98a3719d7e7986c0dceac

SHA1
6253868e18d7bb92ffd67a078a58289875bb429b

SHA256
a779bfefa679217e7e683d4078dfa709eb243de08e813ca0f76f18470d862c38

SHA512
824c5397ba206fb054e2f30e2ff90393dd2d3c090a97b81b3c1939b397026fe7cdd36ab5244f71a2395150ae995a32cc031bd872644eda4a5ca80aa7a3879a8f

Download Submit
C:\Windows\SysWOW64\elvnluemov.exe
Filesize
255KB

MD5
a2a9c39ae6b216bf85a658b854a109b2

SHA1
bd354bb8adea74d9bb6b7e7e34f11bd7d84e872f

SHA256
561b0da13a994f827f0d9648fd27b51ebd55ef1feadf033e6b5443e47ecb0cf6

SHA512
af259e4b12602a97b6ece41dc90c1d193ba65b28d6699c81dba9221044c50d1317edd4c5788717625d125f81c96de6e2222aec38b2340adb2b30a8450f1c2e73

Download Submit
C:\Windows\SysWOW64\elvnluemov.exe
Filesize
255KB

MD5
a2a9c39ae6b216bf85a658b854a109b2

SHA1
bd354bb8adea74d9bb6b7e7e34f11bd7d84e872f

SHA256
561b0da13a994f827f0d9648fd27b51ebd55ef1feadf033e6b5443e47ecb0cf6

SHA512
af259e4b12602a97b6ece41dc90c1d193ba65b28d6699c81dba9221044c50d1317edd4c5788717625d125f81c96de6e2222aec38b2340adb2b30a8450f1c2e73

Download Submit
C:\Windows\SysWOW64\jxwbbuvi.exe
Filesize
255KB

MD5
239534b470717681c0fae49f426bad5e

SHA1
1c394964e831f66813d6b717fdbadda234755408

SHA256
cc27046961d2bc22f48259f87c87bbe97600ec8aba6d858adb6163da63b827c1

SHA512
4f480a1ff604cea26bb9d8b318c68892b0bd1206b1c2114d18ce803467bec090ee8a5490d0a6842c30bbee7e961a4f84ab929a46a77461d2063f5b322af02cb1

Download Submit
C:\Windows\SysWOW64\jxwbbuvi.exe
Filesize
255KB

MD5
239534b470717681c0fae49f426bad5e

SHA1
1c394964e831f66813d6b717fdbadda234755408

SHA256
cc27046961d2bc22f48259f87c87bbe97600ec8aba6d858adb6163da63b827c1

SHA512
4f480a1ff604cea26bb9d8b318c68892b0bd1206b1c2114d18ce803467bec090ee8a5490d0a6842c30bbee7e961a4f84ab929a46a77461d2063f5b322af02cb1

Download Submit
C:\Windows\SysWOW64\jxwbbuvi.exe
Filesize
255KB

MD5
239534b470717681c0fae49f426bad5e

SHA1
1c394964e831f66813d6b717fdbadda234755408

SHA256
cc27046961d2bc22f48259f87c87bbe97600ec8aba6d858adb6163da63b827c1

SHA512
4f480a1ff604cea26bb9d8b318c68892b0bd1206b1c2114d18ce803467bec090ee8a5490d0a6842c30bbee7e961a4f84ab929a46a77461d2063f5b322af02cb1

Download Submit
C:\Windows\SysWOW64\rlrbnotwmehkk.exe
Filesize
255KB

MD5
3de1c960c201708b62541de1f3cc36d8

SHA1
2f7988798974376f9458a21ede4fe69789af09d6

SHA256
922d626a3a20e7cb456b15bcb7359ffc29c05c832cbc026dd6045c4bfc024d49

SHA512
d457a9be73bc961b8f076ddee6c4a7dc3d2670cb44b60ac72362ce8199603a36166c48fe7a5ee72cfec499fbdbf1c0676568171ab8eeb638a602a5a40589cb02

Download Submit
C:\Windows\SysWOW64\rlrbnotwmehkk.exe
Filesize
255KB

MD5
3de1c960c201708b62541de1f3cc36d8

SHA1
2f7988798974376f9458a21ede4fe69789af09d6

SHA256
922d626a3a20e7cb456b15bcb7359ffc29c05c832cbc026dd6045c4bfc024d49

SHA512
d457a9be73bc961b8f076ddee6c4a7dc3d2670cb44b60ac72362ce8199603a36166c48fe7a5ee72cfec499fbdbf1c0676568171ab8eeb638a602a5a40589cb02

Download Submit
C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe
Filesize
255KB

MD5
7146e6c064d56dd92b99e30f37bd7c7c

SHA1
666c384f55c09b3225cdc50c49c49f993f3e2ce5

SHA256
cdb63dbfbc95783f0bf37f6fc19cbc7953ab830decbfff5513784f6d3fa233b4

SHA512
8139df9fcba851841599b2da70194c7fc72c6c3372408be96da8432c387cb6b863c823e1543367047dcedb0bb511849e3c1d81fa49f0c461db99e65329dd2d97

Download Submit
C:\Windows\SysWOW64\ynngljkgdhrgqnu.exe
Filesize
255KB

MD5
7146e6c064d56dd92b99e30f37bd7c7c

SHA1
666c384f55c09b3225cdc50c49c49f993f3e2ce5

SHA256
cdb63dbfbc95783f0bf37f6fc19cbc7953ab830decbfff5513784f6d3fa233b4

SHA512
8139df9fcba851841599b2da70194c7fc72c6c3372408be96da8432c387cb6b863c823e1543367047dcedb0bb511849e3c1d81fa49f0c461db99e65329dd2d97

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\elvnluemov.exe
Filesize
255KB

MD5
a2a9c39ae6b216bf85a658b854a109b2

SHA1
bd354bb8adea74d9bb6b7e7e34f11bd7d84e872f

SHA256
561b0da13a994f827f0d9648fd27b51ebd55ef1feadf033e6b5443e47ecb0cf6

SHA512
af259e4b12602a97b6ece41dc90c1d193ba65b28d6699c81dba9221044c50d1317edd4c5788717625d125f81c96de6e2222aec38b2340adb2b30a8450f1c2e73

Download Submit
\Windows\SysWOW64\jxwbbuvi.exe
Filesize
255KB

MD5
239534b470717681c0fae49f426bad5e

SHA1
1c394964e831f66813d6b717fdbadda234755408

SHA256
cc27046961d2bc22f48259f87c87bbe97600ec8aba6d858adb6163da63b827c1

SHA512
4f480a1ff604cea26bb9d8b318c68892b0bd1206b1c2114d18ce803467bec090ee8a5490d0a6842c30bbee7e961a4f84ab929a46a77461d2063f5b322af02cb1

Download Submit
\Windows\SysWOW64\jxwbbuvi.exe
Filesize
255KB

MD5
239534b470717681c0fae49f426bad5e

SHA1
1c394964e831f66813d6b717fdbadda234755408

SHA256
cc27046961d2bc22f48259f87c87bbe97600ec8aba6d858adb6163da63b827c1

SHA512
4f480a1ff604cea26bb9d8b318c68892b0bd1206b1c2114d18ce803467bec090ee8a5490d0a6842c30bbee7e961a4f84ab929a46a77461d2063f5b322af02cb1

Download Submit
\Windows\SysWOW64\rlrbnotwmehkk.exe
Filesize
255KB

MD5
3de1c960c201708b62541de1f3cc36d8

SHA1
2f7988798974376f9458a21ede4fe69789af09d6

SHA256
922d626a3a20e7cb456b15bcb7359ffc29c05c832cbc026dd6045c4bfc024d49

SHA512
d457a9be73bc961b8f076ddee6c4a7dc3d2670cb44b60ac72362ce8199603a36166c48fe7a5ee72cfec499fbdbf1c0676568171ab8eeb638a602a5a40589cb02

Download Submit
\Windows\SysWOW64\ynngljkgdhrgqnu.exe
Filesize
255KB

MD5
7146e6c064d56dd92b99e30f37bd7c7c

SHA1
666c384f55c09b3225cdc50c49c49f993f3e2ce5

SHA256
cdb63dbfbc95783f0bf37f6fc19cbc7953ab830decbfff5513784f6d3fa233b4

SHA512
8139df9fcba851841599b2da70194c7fc72c6c3372408be96da8432c387cb6b863c823e1543367047dcedb0bb511849e3c1d81fa49f0c461db99e65329dd2d97

Download Submit
memory/584-67-0x0000000000000000-mapping.dmp

Download
memory/584-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/584-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/628-101-0x0000000000000000-mapping.dmp

Download
memory/672-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/672-62-0x0000000000000000-mapping.dmp

Download
memory/672-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1052-58-0x0000000000000000-mapping.dmp

Download
memory/1052-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1052-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1056-77-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1056-104-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/1252-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1252-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1252-57-0x00000000032F0000-0x0000000003390000-memory.dmp

Filesize
640KB

Download
memory/1252-83-0x00000000032F0000-0x0000000003390000-memory.dmp

Filesize
640KB

Download
memory/1252-54-0x0000000075651000-0x0000000075653000-memory.dmp

Filesize
8KB

Download
memory/1352-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1352-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1352-79-0x0000000000000000-mapping.dmp

Download
memory/1544-70-0x0000000000000000-mapping.dmp

Download
memory/1544-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1544-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1640-88-0x0000000000000000-mapping.dmp

Download
memory/1640-95-0x00000000712CD000-0x00000000712D8000-memory.dmp

Filesize
44KB

Download
memory/1640-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1640-91-0x00000000702E1000-0x00000000702E3000-memory.dmp

Filesize
8KB

Download
memory/1640-90-0x0000000072861000-0x0000000072864000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads