6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
Size

255KB
MD5

dbc4b7e63d1dd76f2a4a43a2a4523969
SHA1

b9235597a54d8ddfb736fe20419eab5e30aee11c
SHA256

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280
SHA512

6aec3d29aa34f44b8bea5616bd1e9d4a15ad61dcef4d8111a8f49421c283f0e04f83497a98174467a6fc5831c0e0d183ce09c03c9a62ca8fa2bea8860fc8029d
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIa

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

uqniaeligx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	uqniaeligx.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

uqniaeligx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	uqniaeligx.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

uqniaeligx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	uqniaeligx.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

uqniaeligx.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uqniaeligx.exe

Executes dropped EXE 6 IoCs

Processes:

uqniaeligx.exepilgodphexltmwo.exettogtjjf.exeoaencvvmqwfaw.exeoaencvvmqwfaw.exettogtjjf.exe

pid process

1388 uqniaeligx.exe
1692 pilgodphexltmwo.exe
1548 ttogtjjf.exe
1296 oaencvvmqwfaw.exe
768 oaencvvmqwfaw.exe
828 ttogtjjf.exe

pid	process
1388	uqniaeligx.exe
1692	pilgodphexltmwo.exe
1548	ttogtjjf.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
828	ttogtjjf.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\uqniaeligx.exe	upx
C:\Windows\SysWOW64\uqniaeligx.exe	upx
\Windows\SysWOW64\pilgodphexltmwo.exe	upx
C:\Windows\SysWOW64\uqniaeligx.exe	upx
\Windows\SysWOW64\ttogtjjf.exe	upx
C:\Windows\SysWOW64\pilgodphexltmwo.exe	upx
behavioral1/memory/912-65-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\ttogtjjf.exe	upx
behavioral1/memory/1692-70-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\oaencvvmqwfaw.exe	upx
behavioral1/memory/1388-68-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Windows\SysWOW64\pilgodphexltmwo.exe	upx
C:\Windows\SysWOW64\ttogtjjf.exe	upx
C:\Windows\SysWOW64\oaencvvmqwfaw.exe	upx
C:\Windows\SysWOW64\oaencvvmqwfaw.exe	upx
\Windows\SysWOW64\oaencvvmqwfaw.exe	upx
C:\Windows\SysWOW64\oaencvvmqwfaw.exe	upx
C:\Windows\SysWOW64\ttogtjjf.exe	upx
\Windows\SysWOW64\ttogtjjf.exe	upx
behavioral1/memory/912-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1548-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1296-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/768-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/828-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx
C:\Users\Admin\AppData\Roaming\CompleteApprove.doc.exe	upx
behavioral1/memory/1388-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1692-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1548-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1296-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/768-107-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/828-108-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.execmd.exeuqniaeligx.exe

pid	process
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
436	cmd.exe
1388	uqniaeligx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

uqniaeligx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	uqniaeligx.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pilgodphexltmwo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\omjjjnys = "uqniaeligx.exe"	pilgodphexltmwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msslodwi = "pilgodphexltmwo.exe"	pilgodphexltmwo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "oaencvvmqwfaw.exe"	pilgodphexltmwo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	pilgodphexltmwo.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ttogtjjf.exeuqniaeligx.exettogtjjf.exe

description	ioc	process
File opened (read-only)	\??\f:	ttogtjjf.exe
File opened (read-only)	\??\l:	ttogtjjf.exe
File opened (read-only)	\??\n:	ttogtjjf.exe
File opened (read-only)	\??\u:	ttogtjjf.exe
File opened (read-only)	\??\y:	uqniaeligx.exe
File opened (read-only)	\??\m:	uqniaeligx.exe
File opened (read-only)	\??\n:	ttogtjjf.exe
File opened (read-only)	\??\r:	ttogtjjf.exe
File opened (read-only)	\??\g:	ttogtjjf.exe
File opened (read-only)	\??\m:	ttogtjjf.exe
File opened (read-only)	\??\e:	uqniaeligx.exe
File opened (read-only)	\??\q:	ttogtjjf.exe
File opened (read-only)	\??\e:	ttogtjjf.exe
File opened (read-only)	\??\k:	ttogtjjf.exe
File opened (read-only)	\??\a:	uqniaeligx.exe
File opened (read-only)	\??\i:	uqniaeligx.exe
File opened (read-only)	\??\f:	ttogtjjf.exe
File opened (read-only)	\??\m:	ttogtjjf.exe
File opened (read-only)	\??\h:	ttogtjjf.exe
File opened (read-only)	\??\j:	uqniaeligx.exe
File opened (read-only)	\??\l:	uqniaeligx.exe
File opened (read-only)	\??\i:	ttogtjjf.exe
File opened (read-only)	\??\a:	ttogtjjf.exe
File opened (read-only)	\??\j:	ttogtjjf.exe
File opened (read-only)	\??\q:	ttogtjjf.exe
File opened (read-only)	\??\v:	ttogtjjf.exe
File opened (read-only)	\??\b:	uqniaeligx.exe
File opened (read-only)	\??\o:	uqniaeligx.exe
File opened (read-only)	\??\z:	uqniaeligx.exe
File opened (read-only)	\??\x:	ttogtjjf.exe
File opened (read-only)	\??\u:	uqniaeligx.exe
File opened (read-only)	\??\o:	ttogtjjf.exe
File opened (read-only)	\??\s:	ttogtjjf.exe
File opened (read-only)	\??\z:	ttogtjjf.exe
File opened (read-only)	\??\u:	ttogtjjf.exe
File opened (read-only)	\??\w:	ttogtjjf.exe
File opened (read-only)	\??\b:	ttogtjjf.exe
File opened (read-only)	\??\j:	ttogtjjf.exe
File opened (read-only)	\??\p:	ttogtjjf.exe
File opened (read-only)	\??\r:	ttogtjjf.exe
File opened (read-only)	\??\r:	uqniaeligx.exe
File opened (read-only)	\??\h:	ttogtjjf.exe
File opened (read-only)	\??\i:	ttogtjjf.exe
File opened (read-only)	\??\w:	ttogtjjf.exe
File opened (read-only)	\??\f:	uqniaeligx.exe
File opened (read-only)	\??\g:	uqniaeligx.exe
File opened (read-only)	\??\t:	ttogtjjf.exe
File opened (read-only)	\??\w:	uqniaeligx.exe
File opened (read-only)	\??\x:	uqniaeligx.exe
File opened (read-only)	\??\g:	ttogtjjf.exe
File opened (read-only)	\??\v:	ttogtjjf.exe
File opened (read-only)	\??\s:	ttogtjjf.exe
File opened (read-only)	\??\t:	ttogtjjf.exe
File opened (read-only)	\??\x:	ttogtjjf.exe
File opened (read-only)	\??\z:	ttogtjjf.exe
File opened (read-only)	\??\p:	ttogtjjf.exe
File opened (read-only)	\??\y:	ttogtjjf.exe
File opened (read-only)	\??\e:	ttogtjjf.exe
File opened (read-only)	\??\o:	ttogtjjf.exe
File opened (read-only)	\??\q:	uqniaeligx.exe
File opened (read-only)	\??\s:	uqniaeligx.exe
File opened (read-only)	\??\t:	uqniaeligx.exe
File opened (read-only)	\??\a:	ttogtjjf.exe
File opened (read-only)	\??\k:	uqniaeligx.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

uqniaeligx.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	uqniaeligx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	uqniaeligx.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/912-65-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1692-70-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1388-68-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/912-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1548-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1296-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/768-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/828-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1388-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1692-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1548-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1296-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/768-107-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/828-108-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

uqniaeligx.exe6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	uqniaeligx.exe
File created	C:\Windows\SysWOW64\uqniaeligx.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File created	C:\Windows\SysWOW64\pilgodphexltmwo.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File opened for modification	C:\Windows\SysWOW64\pilgodphexltmwo.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File created	C:\Windows\SysWOW64\ttogtjjf.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File opened for modification	C:\Windows\SysWOW64\ttogtjjf.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File opened for modification	C:\Windows\SysWOW64\oaencvvmqwfaw.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File opened for modification	C:\Windows\SysWOW64\uqniaeligx.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File created	C:\Windows\SysWOW64\oaencvvmqwfaw.exe	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe

Drops file in Program Files directory 14 IoCs

Processes:

ttogtjjf.exettogtjjf.exe

description	ioc	process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ttogtjjf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ttogtjjf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ttogtjjf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ttogtjjf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ttogtjjf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ttogtjjf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ttogtjjf.exe

Drops file in Windows directory 5 IoCs

Processes:

WINWORD.EXE6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe

description	ioc	process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

uqniaeligx.exeWINWORD.EXE6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	uqniaeligx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	uqniaeligx.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	uqniaeligx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	uqniaeligx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB5FABDF961F1E7837F3B45819B3999B08A03FC4364023DE1BA45E708A5"	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFFF9485C851F9142D6217E93BDE0E63358406741633FD6EA"	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BB8FE6E21A9D27AD0A08B099010"	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC70B14E1DAB7B8CB7CE0ECE034B9"	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	uqniaeligx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	uqniaeligx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

984 WINWORD.EXE

pid	process
984	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exeuqniaeligx.exettogtjjf.exepilgodphexltmwo.exeoaencvvmqwfaw.exeoaencvvmqwfaw.exettogtjjf.exe

pid	process
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
828	ttogtjjf.exe
828	ttogtjjf.exe
828	ttogtjjf.exe
828	ttogtjjf.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exeuqniaeligx.exettogtjjf.exepilgodphexltmwo.exeoaencvvmqwfaw.exeoaencvvmqwfaw.exettogtjjf.exe

pid	process
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
828	ttogtjjf.exe
828	ttogtjjf.exe
828	ttogtjjf.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exeuqniaeligx.exettogtjjf.exepilgodphexltmwo.exeoaencvvmqwfaw.exeoaencvvmqwfaw.exettogtjjf.exe

pid	process
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1388	uqniaeligx.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1548	ttogtjjf.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1692	pilgodphexltmwo.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
1296	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
768	oaencvvmqwfaw.exe
828	ttogtjjf.exe
828	ttogtjjf.exe
828	ttogtjjf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

984 WINWORD.EXE
984 WINWORD.EXE

pid	process
984	WINWORD.EXE
984	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exepilgodphexltmwo.execmd.exeuqniaeligx.exeWINWORD.EXE

description	pid	process	target process
PID 912 wrote to memory of 1388	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	uqniaeligx.exe
PID 912 wrote to memory of 1388	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	uqniaeligx.exe
PID 912 wrote to memory of 1388	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	uqniaeligx.exe
PID 912 wrote to memory of 1388	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	uqniaeligx.exe
PID 912 wrote to memory of 1692	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	pilgodphexltmwo.exe
PID 912 wrote to memory of 1692	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	pilgodphexltmwo.exe
PID 912 wrote to memory of 1692	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	pilgodphexltmwo.exe
PID 912 wrote to memory of 1692	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	pilgodphexltmwo.exe
PID 912 wrote to memory of 1548	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	ttogtjjf.exe
PID 912 wrote to memory of 1548	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	ttogtjjf.exe
PID 912 wrote to memory of 1548	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	ttogtjjf.exe
PID 912 wrote to memory of 1548	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	ttogtjjf.exe
PID 912 wrote to memory of 1296	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	oaencvvmqwfaw.exe
PID 912 wrote to memory of 1296	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	oaencvvmqwfaw.exe
PID 912 wrote to memory of 1296	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	oaencvvmqwfaw.exe
PID 912 wrote to memory of 1296	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	oaencvvmqwfaw.exe
PID 1692 wrote to memory of 436	1692	pilgodphexltmwo.exe	cmd.exe
PID 1692 wrote to memory of 436	1692	pilgodphexltmwo.exe	cmd.exe
PID 1692 wrote to memory of 436	1692	pilgodphexltmwo.exe	cmd.exe
PID 1692 wrote to memory of 436	1692	pilgodphexltmwo.exe	cmd.exe
PID 436 wrote to memory of 768	436	cmd.exe	oaencvvmqwfaw.exe
PID 436 wrote to memory of 768	436	cmd.exe	oaencvvmqwfaw.exe
PID 436 wrote to memory of 768	436	cmd.exe	oaencvvmqwfaw.exe
PID 436 wrote to memory of 768	436	cmd.exe	oaencvvmqwfaw.exe
PID 1388 wrote to memory of 828	1388	uqniaeligx.exe	ttogtjjf.exe
PID 1388 wrote to memory of 828	1388	uqniaeligx.exe	ttogtjjf.exe
PID 1388 wrote to memory of 828	1388	uqniaeligx.exe	ttogtjjf.exe
PID 1388 wrote to memory of 828	1388	uqniaeligx.exe	ttogtjjf.exe
PID 912 wrote to memory of 984	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	WINWORD.EXE
PID 912 wrote to memory of 984	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	WINWORD.EXE
PID 912 wrote to memory of 984	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	WINWORD.EXE
PID 912 wrote to memory of 984	912	6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe	WINWORD.EXE
PID 984 wrote to memory of 1468	984	WINWORD.EXE	splwow64.exe
PID 984 wrote to memory of 1468	984	WINWORD.EXE	splwow64.exe
PID 984 wrote to memory of 1468	984	WINWORD.EXE	splwow64.exe
PID 984 wrote to memory of 1468	984	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe
"C:\Users\Admin\AppData\Local\Temp\6696746e12bbfb3c99c8fa82cbacef621a64dd7f8575ef64a9ed2d18c7b16280.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\uqniaeligx.exe
uqniaeligx.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\ttogtjjf.exe
C:\Windows\system32\ttogtjjf.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:828

C:\Windows\SysWOW64\pilgodphexltmwo.exe
pilgodphexltmwo.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c oaencvvmqwfaw.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\oaencvvmqwfaw.exe
oaencvvmqwfaw.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:768

C:\Windows\SysWOW64\ttogtjjf.exe
ttogtjjf.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Windows\SysWOW64\oaencvvmqwfaw.exe
oaencvvmqwfaw.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1296

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
255KB

MD5
5726aff19825b7e2a8f15f128eae9ea0

SHA1
ddcb1b5c13f274f2d65aa33b14c2e480056cd477

SHA256
e3fd51b207fad3cea47d41f5489e7496fdea8581e158add1344d4022d10e8e49

SHA512
ab32bed2ec2884d0ca30ce71f73f032a86bbfb68235f64fee137ee9c4919770729f14237a7b542973a0a56e697d28847d81590c5bee5794e69357ff0b2338765

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
255KB

MD5
e2622b9fecf91bb68d46cae4c6ffc156

SHA1
fe16d158fa5d4fd33955ae5d6ab9f97a79ca9c36

SHA256
cd2a76582ba5677b1e0d4e459a50a174d8e6b59467c5f6999b5eadeb500791e4

SHA512
9272528b42c33067d35f8a7ef9c4f06e1a8e2e73820e279d063be141717bc70c7641bb8432379b4259ab8e7e43c37721b34bab59641b6727dee9d78dd986fa82

Download Submit
C:\Users\Admin\AppData\Roaming\CompleteApprove.doc.exe
Filesize
255KB

MD5
68a7b691375a7492a25033f8fd610a63

SHA1
463b9ac992d4f0a7ab228914f3fb0af2a48a13ba

SHA256
0f882b4aff0f85ea1e0db18b940d49f4c9aa8a87a11d94acb75340d2aa86a118

SHA512
76e78f2015f5fe9e3c1443c5e1cae324dc27c90c9c0be2f87cd8ccba70ca85d4d3386933289de26341f5ce3505e0fcb1d8180fa1fa2c97f0be909d104eae6217

Download Submit
C:\Windows\SysWOW64\oaencvvmqwfaw.exe
Filesize
255KB

MD5
4abdb046a4044a75f1b23cd9226ffbe3

SHA1
094b3d8ba5acd20609d25ce1df52beb937fa591a

SHA256
4ae4d030b66ab6f983ae6113185971a00ac11cb8579a4c24766d1765702abecf

SHA512
c29a9f0431b4493076168f5df404a123bedd2334af8c3e3295467926e43f8da7a08482f6f8203b7f9a6adcef4d5bfc4e40ce56da64599967732f81578335bd6f

Download Submit
C:\Windows\SysWOW64\oaencvvmqwfaw.exe
Filesize
255KB

MD5
4abdb046a4044a75f1b23cd9226ffbe3

SHA1
094b3d8ba5acd20609d25ce1df52beb937fa591a

SHA256
4ae4d030b66ab6f983ae6113185971a00ac11cb8579a4c24766d1765702abecf

SHA512
c29a9f0431b4493076168f5df404a123bedd2334af8c3e3295467926e43f8da7a08482f6f8203b7f9a6adcef4d5bfc4e40ce56da64599967732f81578335bd6f

Download Submit
C:\Windows\SysWOW64\oaencvvmqwfaw.exe
Filesize
255KB

MD5
4abdb046a4044a75f1b23cd9226ffbe3

SHA1
094b3d8ba5acd20609d25ce1df52beb937fa591a

SHA256
4ae4d030b66ab6f983ae6113185971a00ac11cb8579a4c24766d1765702abecf

SHA512
c29a9f0431b4493076168f5df404a123bedd2334af8c3e3295467926e43f8da7a08482f6f8203b7f9a6adcef4d5bfc4e40ce56da64599967732f81578335bd6f

Download Submit
C:\Windows\SysWOW64\pilgodphexltmwo.exe
Filesize
255KB

MD5
e8613defc5353a1033f3e88a5e5c0fe7

SHA1
82eb4d7d16f54fa731acef9e65d841d533c90b9f

SHA256
81a5fdec43ff4cf8b9143c75e84dcf4735e2e8d21077dccfce6391c3ee8c7fdd

SHA512
87024f708600cd40aa1639f5f1ad052cbdb79253b8959f5a6eb184dc3a610c6b1c42e16d366119b97523b09ca2bd2ad6573cde11c57dfc6d35eb2546b366b6f2

Download Submit
C:\Windows\SysWOW64\pilgodphexltmwo.exe
Filesize
255KB

MD5
e8613defc5353a1033f3e88a5e5c0fe7

SHA1
82eb4d7d16f54fa731acef9e65d841d533c90b9f

SHA256
81a5fdec43ff4cf8b9143c75e84dcf4735e2e8d21077dccfce6391c3ee8c7fdd

SHA512
87024f708600cd40aa1639f5f1ad052cbdb79253b8959f5a6eb184dc3a610c6b1c42e16d366119b97523b09ca2bd2ad6573cde11c57dfc6d35eb2546b366b6f2

Download Submit
C:\Windows\SysWOW64\ttogtjjf.exe
Filesize
255KB

MD5
204b94e75a1906d9790658a4edb0decf

SHA1
1b6c27c946cacc490d84075e1e22946044973564

SHA256
c07fcd65dbff664770f354890d8fc54b2eed9f6e562e759934e3cd016d02c928

SHA512
da56a3f5eed9b9df90a38671c450d65ae4a1e6f4081600784b9a7bf034985f14cd7ce9b4b6fa82815a551b7eb5ceabba67c112cf3aba1111040dbca4bf7b2967

Download Submit
C:\Windows\SysWOW64\ttogtjjf.exe
Filesize
255KB

MD5
204b94e75a1906d9790658a4edb0decf

SHA1
1b6c27c946cacc490d84075e1e22946044973564

SHA256
c07fcd65dbff664770f354890d8fc54b2eed9f6e562e759934e3cd016d02c928

SHA512
da56a3f5eed9b9df90a38671c450d65ae4a1e6f4081600784b9a7bf034985f14cd7ce9b4b6fa82815a551b7eb5ceabba67c112cf3aba1111040dbca4bf7b2967

Download Submit
C:\Windows\SysWOW64\ttogtjjf.exe
Filesize
255KB

MD5
204b94e75a1906d9790658a4edb0decf

SHA1
1b6c27c946cacc490d84075e1e22946044973564

SHA256
c07fcd65dbff664770f354890d8fc54b2eed9f6e562e759934e3cd016d02c928

SHA512
da56a3f5eed9b9df90a38671c450d65ae4a1e6f4081600784b9a7bf034985f14cd7ce9b4b6fa82815a551b7eb5ceabba67c112cf3aba1111040dbca4bf7b2967

Download Submit
C:\Windows\SysWOW64\uqniaeligx.exe
Filesize
255KB

MD5
f622840cf787b76318c810b1fff2250f

SHA1
18227be390c6b35bd0b4ec7cebb561329a716bf1

SHA256
c0d45362e2874f38008795f721f1cbd5da0ef06d84a55b61fc1a5a873af6a7fb

SHA512
c7f1ab17908cb0c47d1f033f2e039f86ce95beb94cdf85539b4f660e2bb728b3f3693e0840441e1ee0b835861e9ea5df192bbf11f48c1db005ea1713b5cce1e4

Download Submit
C:\Windows\SysWOW64\uqniaeligx.exe
Filesize
255KB

MD5
f622840cf787b76318c810b1fff2250f

SHA1
18227be390c6b35bd0b4ec7cebb561329a716bf1

SHA256
c0d45362e2874f38008795f721f1cbd5da0ef06d84a55b61fc1a5a873af6a7fb

SHA512
c7f1ab17908cb0c47d1f033f2e039f86ce95beb94cdf85539b4f660e2bb728b3f3693e0840441e1ee0b835861e9ea5df192bbf11f48c1db005ea1713b5cce1e4

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\oaencvvmqwfaw.exe
Filesize
255KB

MD5
4abdb046a4044a75f1b23cd9226ffbe3

SHA1
094b3d8ba5acd20609d25ce1df52beb937fa591a

SHA256
4ae4d030b66ab6f983ae6113185971a00ac11cb8579a4c24766d1765702abecf

SHA512
c29a9f0431b4493076168f5df404a123bedd2334af8c3e3295467926e43f8da7a08482f6f8203b7f9a6adcef4d5bfc4e40ce56da64599967732f81578335bd6f

Download Submit
\Windows\SysWOW64\oaencvvmqwfaw.exe
Filesize
255KB

MD5
4abdb046a4044a75f1b23cd9226ffbe3

SHA1
094b3d8ba5acd20609d25ce1df52beb937fa591a

SHA256
4ae4d030b66ab6f983ae6113185971a00ac11cb8579a4c24766d1765702abecf

SHA512
c29a9f0431b4493076168f5df404a123bedd2334af8c3e3295467926e43f8da7a08482f6f8203b7f9a6adcef4d5bfc4e40ce56da64599967732f81578335bd6f

Download Submit
\Windows\SysWOW64\pilgodphexltmwo.exe
Filesize
255KB

MD5
e8613defc5353a1033f3e88a5e5c0fe7

SHA1
82eb4d7d16f54fa731acef9e65d841d533c90b9f

SHA256
81a5fdec43ff4cf8b9143c75e84dcf4735e2e8d21077dccfce6391c3ee8c7fdd

SHA512
87024f708600cd40aa1639f5f1ad052cbdb79253b8959f5a6eb184dc3a610c6b1c42e16d366119b97523b09ca2bd2ad6573cde11c57dfc6d35eb2546b366b6f2

Download Submit
\Windows\SysWOW64\ttogtjjf.exe
Filesize
255KB

MD5
204b94e75a1906d9790658a4edb0decf

SHA1
1b6c27c946cacc490d84075e1e22946044973564

SHA256
c07fcd65dbff664770f354890d8fc54b2eed9f6e562e759934e3cd016d02c928

SHA512
da56a3f5eed9b9df90a38671c450d65ae4a1e6f4081600784b9a7bf034985f14cd7ce9b4b6fa82815a551b7eb5ceabba67c112cf3aba1111040dbca4bf7b2967

Download Submit
\Windows\SysWOW64\ttogtjjf.exe
Filesize
255KB

MD5
204b94e75a1906d9790658a4edb0decf

SHA1
1b6c27c946cacc490d84075e1e22946044973564

SHA256
c07fcd65dbff664770f354890d8fc54b2eed9f6e562e759934e3cd016d02c928

SHA512
da56a3f5eed9b9df90a38671c450d65ae4a1e6f4081600784b9a7bf034985f14cd7ce9b4b6fa82815a551b7eb5ceabba67c112cf3aba1111040dbca4bf7b2967

Download Submit
\Windows\SysWOW64\uqniaeligx.exe
Filesize
255KB

MD5
f622840cf787b76318c810b1fff2250f

SHA1
18227be390c6b35bd0b4ec7cebb561329a716bf1

SHA256
c0d45362e2874f38008795f721f1cbd5da0ef06d84a55b61fc1a5a873af6a7fb

SHA512
c7f1ab17908cb0c47d1f033f2e039f86ce95beb94cdf85539b4f660e2bb728b3f3693e0840441e1ee0b835861e9ea5df192bbf11f48c1db005ea1713b5cce1e4

Download Submit
memory/436-79-0x0000000000000000-mapping.dmp

Download
memory/768-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/768-107-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/768-81-0x0000000000000000-mapping.dmp

Download
memory/828-108-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/828-85-0x0000000000000000-mapping.dmp

Download
memory/828-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/912-67-0x0000000003310000-0x00000000033B0000-memory.dmp

Filesize
640KB

Download
memory/912-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/912-65-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/912-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/984-95-0x00000000700D1000-0x00000000700D3000-memory.dmp

Filesize
8KB

Download
memory/984-113-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/984-90-0x0000000072651000-0x0000000072654000-memory.dmp

Filesize
12KB

Download
memory/984-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/984-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/984-88-0x0000000000000000-mapping.dmp

Download
memory/984-99-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/984-109-0x00000000710BD000-0x00000000710C8000-memory.dmp

Filesize
44KB

Download
memory/1296-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1296-72-0x0000000000000000-mapping.dmp

Download
memory/1296-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1388-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1388-56-0x0000000000000000-mapping.dmp

Download
memory/1388-68-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1468-110-0x0000000000000000-mapping.dmp

Download
memory/1468-111-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

Filesize
8KB

Download
memory/1548-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1548-66-0x0000000000000000-mapping.dmp

Download
memory/1548-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1692-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1692-70-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1692-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads