Analysis
-
max time kernel
151s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 22:57
Behavioral task
behavioral1
Sample
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Resource
win10v2004-20221111-en
General
-
Target
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
-
Size
255KB
-
MD5
96a1693ba62d67320cd3dc074f3ce804
-
SHA1
da55e99e4e15df86ef5c81ba60e334352bbff2ea
-
SHA256
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78
-
SHA512
7ac579a74e6658a83cfcc43453f23c861479885f3fb9779a8ccf9639c852a9248a61bb98514a74c940232da82c2277f67e414385575acd8679c1433a92f42bcd
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJN:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIy
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
guwnuglbyv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" guwnuglbyv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
guwnuglbyv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" guwnuglbyv.exe -
Processes:
guwnuglbyv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" guwnuglbyv.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
guwnuglbyv.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guwnuglbyv.exe -
Executes dropped EXE 6 IoCs
Processes:
guwnuglbyv.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exemgxkzaztfqiww.exeetxejjuw.exepid process 1992 guwnuglbyv.exe 1424 yqibxrycsdtwnli.exe 1152 etxejjuw.exe 1116 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1676 etxejjuw.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
resource yara_rule \Windows\SysWOW64\guwnuglbyv.exe upx behavioral1/memory/1476-56-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1476-57-0x0000000002FA0000-0x0000000003040000-memory.dmp upx C:\Windows\SysWOW64\guwnuglbyv.exe upx \Windows\SysWOW64\yqibxrycsdtwnli.exe upx C:\Windows\SysWOW64\yqibxrycsdtwnli.exe upx \Windows\SysWOW64\etxejjuw.exe upx C:\Windows\SysWOW64\guwnuglbyv.exe upx C:\Windows\SysWOW64\yqibxrycsdtwnli.exe upx C:\Windows\SysWOW64\etxejjuw.exe upx \Windows\SysWOW64\mgxkzaztfqiww.exe upx C:\Windows\SysWOW64\etxejjuw.exe upx C:\Windows\SysWOW64\mgxkzaztfqiww.exe upx C:\Windows\SysWOW64\mgxkzaztfqiww.exe upx \Windows\SysWOW64\mgxkzaztfqiww.exe upx C:\Windows\SysWOW64\mgxkzaztfqiww.exe upx behavioral1/memory/1992-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1424-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1152-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1116-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1788-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\etxejjuw.exe upx C:\Windows\SysWOW64\etxejjuw.exe upx behavioral1/memory/1476-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1676-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1992-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1424-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1116-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1152-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1788-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1992-107-0x0000000003830000-0x00000000038D0000-memory.dmp upx behavioral1/memory/1676-108-0x0000000000400000-0x00000000004A0000-memory.dmp upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe upx C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe upx -
Loads dropped DLL 6 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.execmd.exeguwnuglbyv.exepid process 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1816 cmd.exe 1992 guwnuglbyv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
guwnuglbyv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" guwnuglbyv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
yqibxrycsdtwnli.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gqymhnqk = "guwnuglbyv.exe" yqibxrycsdtwnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\evyuknzk = "yqibxrycsdtwnli.exe" yqibxrycsdtwnli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mgxkzaztfqiww.exe" yqibxrycsdtwnli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run yqibxrycsdtwnli.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
etxejjuw.exeetxejjuw.exeguwnuglbyv.exedescription ioc process File opened (read-only) \??\l: etxejjuw.exe File opened (read-only) \??\r: etxejjuw.exe File opened (read-only) \??\p: etxejjuw.exe File opened (read-only) \??\z: etxejjuw.exe File opened (read-only) \??\m: etxejjuw.exe File opened (read-only) \??\i: etxejjuw.exe File opened (read-only) \??\w: etxejjuw.exe File opened (read-only) \??\x: etxejjuw.exe File opened (read-only) \??\n: etxejjuw.exe File opened (read-only) \??\h: etxejjuw.exe File opened (read-only) \??\g: guwnuglbyv.exe File opened (read-only) \??\q: guwnuglbyv.exe File opened (read-only) \??\o: etxejjuw.exe File opened (read-only) \??\q: etxejjuw.exe File opened (read-only) \??\e: etxejjuw.exe File opened (read-only) \??\y: etxejjuw.exe File opened (read-only) \??\f: guwnuglbyv.exe File opened (read-only) \??\i: guwnuglbyv.exe File opened (read-only) \??\u: guwnuglbyv.exe File opened (read-only) \??\v: guwnuglbyv.exe File opened (read-only) \??\p: etxejjuw.exe File opened (read-only) \??\k: etxejjuw.exe File opened (read-only) \??\u: etxejjuw.exe File opened (read-only) \??\e: guwnuglbyv.exe File opened (read-only) \??\t: guwnuglbyv.exe File opened (read-only) \??\w: guwnuglbyv.exe File opened (read-only) \??\t: etxejjuw.exe File opened (read-only) \??\r: etxejjuw.exe File opened (read-only) \??\j: guwnuglbyv.exe File opened (read-only) \??\k: etxejjuw.exe File opened (read-only) \??\q: etxejjuw.exe File opened (read-only) \??\a: guwnuglbyv.exe File opened (read-only) \??\o: guwnuglbyv.exe File opened (read-only) \??\z: guwnuglbyv.exe File opened (read-only) \??\b: etxejjuw.exe File opened (read-only) \??\g: etxejjuw.exe File opened (read-only) \??\i: etxejjuw.exe File opened (read-only) \??\o: etxejjuw.exe File opened (read-only) \??\s: etxejjuw.exe File opened (read-only) \??\r: guwnuglbyv.exe File opened (read-only) \??\s: guwnuglbyv.exe File opened (read-only) \??\j: etxejjuw.exe File opened (read-only) \??\s: etxejjuw.exe File opened (read-only) \??\h: etxejjuw.exe File opened (read-only) \??\g: etxejjuw.exe File opened (read-only) \??\l: etxejjuw.exe File opened (read-only) \??\y: etxejjuw.exe File opened (read-only) \??\j: etxejjuw.exe File opened (read-only) \??\b: guwnuglbyv.exe File opened (read-only) \??\h: guwnuglbyv.exe File opened (read-only) \??\m: guwnuglbyv.exe File opened (read-only) \??\y: guwnuglbyv.exe File opened (read-only) \??\b: etxejjuw.exe File opened (read-only) \??\v: etxejjuw.exe File opened (read-only) \??\v: etxejjuw.exe File opened (read-only) \??\w: etxejjuw.exe File opened (read-only) \??\x: etxejjuw.exe File opened (read-only) \??\l: guwnuglbyv.exe File opened (read-only) \??\u: etxejjuw.exe File opened (read-only) \??\a: etxejjuw.exe File opened (read-only) \??\t: etxejjuw.exe File opened (read-only) \??\n: guwnuglbyv.exe File opened (read-only) \??\x: guwnuglbyv.exe File opened (read-only) \??\a: etxejjuw.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
guwnuglbyv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" guwnuglbyv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" guwnuglbyv.exe -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1476-56-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1992-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1424-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1152-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1116-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1788-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1476-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1676-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1992-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1424-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1116-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1152-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1788-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1992-107-0x0000000003830000-0x00000000038D0000-memory.dmp autoit_exe behavioral1/memory/1676-108-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeguwnuglbyv.exedescription ioc process File opened for modification C:\Windows\SysWOW64\mgxkzaztfqiww.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll guwnuglbyv.exe File created C:\Windows\SysWOW64\guwnuglbyv.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File opened for modification C:\Windows\SysWOW64\guwnuglbyv.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File created C:\Windows\SysWOW64\yqibxrycsdtwnli.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File created C:\Windows\SysWOW64\etxejjuw.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File created C:\Windows\SysWOW64\mgxkzaztfqiww.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File opened for modification C:\Windows\SysWOW64\yqibxrycsdtwnli.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File opened for modification C:\Windows\SysWOW64\etxejjuw.exe a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe -
Drops file in Program Files directory 15 IoCs
Processes:
etxejjuw.exeetxejjuw.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal etxejjuw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etxejjuw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etxejjuw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal etxejjuw.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal etxejjuw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etxejjuw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe etxejjuw.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal etxejjuw.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe etxejjuw.exe -
Drops file in Windows directory 4 IoCs
Processes:
WINWORD.EXEa92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exedescription ioc process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEexplorer.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeWINWORD.EXEexplorer.exeguwnuglbyv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C70C1490DBBEB8CF7C93EC9434BB" a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFFFB4F28851A9032D75F7EE6BC90E1345846674E6242D6EA" a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D7D9D5583516D4276D770532CDC7C8765DF" a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CCF964F1E084783A4381EB3992B38C02F04213023EE1BF42EC08A3" a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" guwnuglbyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" guwnuglbyv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 560 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exeguwnuglbyv.exemgxkzaztfqiww.exeetxejjuw.exepid process 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1676 etxejjuw.exe 1676 etxejjuw.exe 1676 etxejjuw.exe 1676 etxejjuw.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1424 yqibxrycsdtwnli.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1424 yqibxrycsdtwnli.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1424 yqibxrycsdtwnli.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1424 yqibxrycsdtwnli.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1424 yqibxrycsdtwnli.exe 1788 mgxkzaztfqiww.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
explorer.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: 33 268 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 268 AUDIODG.EXE Token: 33 268 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 268 AUDIODG.EXE Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe Token: SeShutdownPrivilege 1528 explorer.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeguwnuglbyv.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exemgxkzaztfqiww.exeetxejjuw.exeexplorer.exepid process 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1788 mgxkzaztfqiww.exe 1676 etxejjuw.exe 1676 etxejjuw.exe 1676 etxejjuw.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe -
Suspicious use of SendNotifyMessage 41 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeguwnuglbyv.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exeexplorer.exepid process 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1992 guwnuglbyv.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1424 yqibxrycsdtwnli.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1152 etxejjuw.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1116 mgxkzaztfqiww.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe 1528 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 560 WINWORD.EXE 560 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeyqibxrycsdtwnli.execmd.exeguwnuglbyv.exedescription pid process target process PID 1476 wrote to memory of 1992 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe guwnuglbyv.exe PID 1476 wrote to memory of 1992 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe guwnuglbyv.exe PID 1476 wrote to memory of 1992 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe guwnuglbyv.exe PID 1476 wrote to memory of 1992 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe guwnuglbyv.exe PID 1476 wrote to memory of 1424 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe yqibxrycsdtwnli.exe PID 1476 wrote to memory of 1424 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe yqibxrycsdtwnli.exe PID 1476 wrote to memory of 1424 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe yqibxrycsdtwnli.exe PID 1476 wrote to memory of 1424 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe yqibxrycsdtwnli.exe PID 1476 wrote to memory of 1152 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe etxejjuw.exe PID 1476 wrote to memory of 1152 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe etxejjuw.exe PID 1476 wrote to memory of 1152 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe etxejjuw.exe PID 1476 wrote to memory of 1152 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe etxejjuw.exe PID 1476 wrote to memory of 1116 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe mgxkzaztfqiww.exe PID 1476 wrote to memory of 1116 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe mgxkzaztfqiww.exe PID 1476 wrote to memory of 1116 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe mgxkzaztfqiww.exe PID 1476 wrote to memory of 1116 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe mgxkzaztfqiww.exe PID 1424 wrote to memory of 1816 1424 yqibxrycsdtwnli.exe cmd.exe PID 1424 wrote to memory of 1816 1424 yqibxrycsdtwnli.exe cmd.exe PID 1424 wrote to memory of 1816 1424 yqibxrycsdtwnli.exe cmd.exe PID 1424 wrote to memory of 1816 1424 yqibxrycsdtwnli.exe cmd.exe PID 1816 wrote to memory of 1788 1816 cmd.exe mgxkzaztfqiww.exe PID 1816 wrote to memory of 1788 1816 cmd.exe mgxkzaztfqiww.exe PID 1816 wrote to memory of 1788 1816 cmd.exe mgxkzaztfqiww.exe PID 1816 wrote to memory of 1788 1816 cmd.exe mgxkzaztfqiww.exe PID 1992 wrote to memory of 1676 1992 guwnuglbyv.exe etxejjuw.exe PID 1992 wrote to memory of 1676 1992 guwnuglbyv.exe etxejjuw.exe PID 1992 wrote to memory of 1676 1992 guwnuglbyv.exe etxejjuw.exe PID 1992 wrote to memory of 1676 1992 guwnuglbyv.exe etxejjuw.exe PID 1476 wrote to memory of 560 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe WINWORD.EXE PID 1476 wrote to memory of 560 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe WINWORD.EXE PID 1476 wrote to memory of 560 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe WINWORD.EXE PID 1476 wrote to memory of 560 1476 a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe"C:\Users\Admin\AppData\Local\Temp\a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\guwnuglbyv.exeguwnuglbyv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\etxejjuw.exeC:\Windows\system32\etxejjuw.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\yqibxrycsdtwnli.exeyqibxrycsdtwnli.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c mgxkzaztfqiww.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mgxkzaztfqiww.exemgxkzaztfqiww.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\etxejjuw.exeetxejjuw.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\mgxkzaztfqiww.exemgxkzaztfqiww.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
8Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exeFilesize
255KB
MD52ecea368036e95912332cb5318a66665
SHA1f0dc6819c370eb8c39ec863d0aa41691eb224aa1
SHA256f4967889a1e947c511f1718bba457662489a9d4fa9aaf4b67de849f08da129e5
SHA51215f934c1b74225e402935db4805be4bbe09f9bf187a9ae588063ae61ec8fd3df83586a03fa5d9b6b68f89c0e5336e94b5951f07863c3637630aeb0c7a0cf57c8
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exeFilesize
255KB
MD5844834a557b8135250bab951d1996f81
SHA10bc5dfcebc7518d83891d7c5bc3efea02b8b8f35
SHA2560d06333303ff8341eb79c5c5ce9e2135d0c0100f65b409878680dd1d7e2f6f6e
SHA5123b444ff6e4d5e4a0938fa1c804414cd01cd9b354631126b405e46311a64b3f2d16fc046e661381f2086fb71c52f7be5bed5ceec6d895d171d4a6f432b399aa85
-
C:\Windows\SysWOW64\etxejjuw.exeFilesize
255KB
MD5f94d674a91ec38e870baed8253765994
SHA110d7b0681e48aa82465e6915d299847bec701c6f
SHA256cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb
SHA512e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967
-
C:\Windows\SysWOW64\etxejjuw.exeFilesize
255KB
MD5f94d674a91ec38e870baed8253765994
SHA110d7b0681e48aa82465e6915d299847bec701c6f
SHA256cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb
SHA512e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967
-
C:\Windows\SysWOW64\etxejjuw.exeFilesize
255KB
MD5f94d674a91ec38e870baed8253765994
SHA110d7b0681e48aa82465e6915d299847bec701c6f
SHA256cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb
SHA512e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967
-
C:\Windows\SysWOW64\guwnuglbyv.exeFilesize
255KB
MD52bb81a2b18e4175ddb3a69baf6702d5d
SHA1da82daedcaef411b23fc96e759705cba4211de25
SHA2568d470d415a83821d474c95a450d6c06433c0e311a5925ee35aa3a288cbf6ba02
SHA512259430bd90425afb8a1bc372aa15c4e6e42ceb27383fc407e2f7c321c16cda02970b413628e37ee396940f76ed861a4d0247b082430537e7cfb31695b66f8796
-
C:\Windows\SysWOW64\guwnuglbyv.exeFilesize
255KB
MD52bb81a2b18e4175ddb3a69baf6702d5d
SHA1da82daedcaef411b23fc96e759705cba4211de25
SHA2568d470d415a83821d474c95a450d6c06433c0e311a5925ee35aa3a288cbf6ba02
SHA512259430bd90425afb8a1bc372aa15c4e6e42ceb27383fc407e2f7c321c16cda02970b413628e37ee396940f76ed861a4d0247b082430537e7cfb31695b66f8796
-
C:\Windows\SysWOW64\mgxkzaztfqiww.exeFilesize
255KB
MD51d494fb97b1173af2ada43b18cb3fdc3
SHA12fda4aea53ffdbdc4744e0339667a759f265a111
SHA256e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d
SHA5127507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7
-
C:\Windows\SysWOW64\mgxkzaztfqiww.exeFilesize
255KB
MD51d494fb97b1173af2ada43b18cb3fdc3
SHA12fda4aea53ffdbdc4744e0339667a759f265a111
SHA256e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d
SHA5127507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7
-
C:\Windows\SysWOW64\mgxkzaztfqiww.exeFilesize
255KB
MD51d494fb97b1173af2ada43b18cb3fdc3
SHA12fda4aea53ffdbdc4744e0339667a759f265a111
SHA256e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d
SHA5127507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7
-
C:\Windows\SysWOW64\yqibxrycsdtwnli.exeFilesize
255KB
MD5fe9414349c77d1317d87ff8e9c1c0216
SHA174b1b6616d5cf1713ca5bca03686d7e9965b3884
SHA25625cf8ee77b84d14e7d8cbc6ee7302a272c0fbd9e8239766fcf8385762427d241
SHA5126843a28b674191f46173f0cf895a977a2d9a0a5230738de76e60521d8d0cb9e149fc3bd176aab34cfce4303f691996277c0c09af6e4184121378ada0bb7afd4c
-
C:\Windows\SysWOW64\yqibxrycsdtwnli.exeFilesize
255KB
MD5fe9414349c77d1317d87ff8e9c1c0216
SHA174b1b6616d5cf1713ca5bca03686d7e9965b3884
SHA25625cf8ee77b84d14e7d8cbc6ee7302a272c0fbd9e8239766fcf8385762427d241
SHA5126843a28b674191f46173f0cf895a977a2d9a0a5230738de76e60521d8d0cb9e149fc3bd176aab34cfce4303f691996277c0c09af6e4184121378ada0bb7afd4c
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\etxejjuw.exeFilesize
255KB
MD5f94d674a91ec38e870baed8253765994
SHA110d7b0681e48aa82465e6915d299847bec701c6f
SHA256cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb
SHA512e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967
-
\Windows\SysWOW64\etxejjuw.exeFilesize
255KB
MD5f94d674a91ec38e870baed8253765994
SHA110d7b0681e48aa82465e6915d299847bec701c6f
SHA256cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb
SHA512e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967
-
\Windows\SysWOW64\guwnuglbyv.exeFilesize
255KB
MD52bb81a2b18e4175ddb3a69baf6702d5d
SHA1da82daedcaef411b23fc96e759705cba4211de25
SHA2568d470d415a83821d474c95a450d6c06433c0e311a5925ee35aa3a288cbf6ba02
SHA512259430bd90425afb8a1bc372aa15c4e6e42ceb27383fc407e2f7c321c16cda02970b413628e37ee396940f76ed861a4d0247b082430537e7cfb31695b66f8796
-
\Windows\SysWOW64\mgxkzaztfqiww.exeFilesize
255KB
MD51d494fb97b1173af2ada43b18cb3fdc3
SHA12fda4aea53ffdbdc4744e0339667a759f265a111
SHA256e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d
SHA5127507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7
-
\Windows\SysWOW64\mgxkzaztfqiww.exeFilesize
255KB
MD51d494fb97b1173af2ada43b18cb3fdc3
SHA12fda4aea53ffdbdc4744e0339667a759f265a111
SHA256e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d
SHA5127507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7
-
\Windows\SysWOW64\yqibxrycsdtwnli.exeFilesize
255KB
MD5fe9414349c77d1317d87ff8e9c1c0216
SHA174b1b6616d5cf1713ca5bca03686d7e9965b3884
SHA25625cf8ee77b84d14e7d8cbc6ee7302a272c0fbd9e8239766fcf8385762427d241
SHA5126843a28b674191f46173f0cf895a977a2d9a0a5230738de76e60521d8d0cb9e149fc3bd176aab34cfce4303f691996277c0c09af6e4184121378ada0bb7afd4c
-
memory/560-98-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/560-92-0x0000000000000000-mapping.dmp
-
memory/560-109-0x000000007186D000-0x0000000071878000-memory.dmpFilesize
44KB
-
memory/560-99-0x000000007186D000-0x0000000071878000-memory.dmpFilesize
44KB
-
memory/560-96-0x0000000070881000-0x0000000070883000-memory.dmpFilesize
8KB
-
memory/560-94-0x0000000072E01000-0x0000000072E04000-memory.dmpFilesize
12KB
-
memory/1116-73-0x0000000000000000-mapping.dmp
-
memory/1116-105-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1116-86-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1152-104-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1152-85-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1152-67-0x0000000000000000-mapping.dmp
-
memory/1424-62-0x0000000000000000-mapping.dmp
-
memory/1424-103-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1424-84-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1476-83-0x0000000002FA0000-0x0000000003040000-memory.dmpFilesize
640KB
-
memory/1476-93-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1476-56-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1476-57-0x0000000002FA0000-0x0000000003040000-memory.dmpFilesize
640KB
-
memory/1528-97-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmpFilesize
8KB
-
memory/1528-112-0x0000000002680000-0x0000000002690000-memory.dmpFilesize
64KB
-
memory/1676-108-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1676-95-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1676-89-0x0000000000000000-mapping.dmp
-
memory/1788-87-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1788-106-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1788-79-0x0000000000000000-mapping.dmp
-
memory/1816-77-0x0000000000000000-mapping.dmp
-
memory/1992-107-0x0000000003830000-0x00000000038D0000-memory.dmpFilesize
640KB
-
memory/1992-82-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1992-102-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1992-58-0x0000000000000000-mapping.dmp