a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78

Analysis

max time kernel
151s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Size

255KB
MD5

96a1693ba62d67320cd3dc074f3ce804
SHA1

da55e99e4e15df86ef5c81ba60e334352bbff2ea
SHA256

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78
SHA512

7ac579a74e6658a83cfcc43453f23c861479885f3fb9779a8ccf9639c852a9248a61bb98514a74c940232da82c2277f67e414385575acd8679c1433a92f42bcd
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJN:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIy

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

guwnuglbyv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	guwnuglbyv.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

guwnuglbyv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	guwnuglbyv.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

guwnuglbyv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	guwnuglbyv.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

guwnuglbyv.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	guwnuglbyv.exe

Executes dropped EXE 6 IoCs

Processes:

guwnuglbyv.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exemgxkzaztfqiww.exeetxejjuw.exe

pid process

1992 guwnuglbyv.exe
1424 yqibxrycsdtwnli.exe
1152 etxejjuw.exe
1116 mgxkzaztfqiww.exe
1788 mgxkzaztfqiww.exe
1676 etxejjuw.exe

pid	process
1992	guwnuglbyv.exe
1424	yqibxrycsdtwnli.exe
1152	etxejjuw.exe
1116	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1676	etxejjuw.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\guwnuglbyv.exe	upx
behavioral1/memory/1476-56-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1476-57-0x0000000002FA0000-0x0000000003040000-memory.dmp	upx
C:\Windows\SysWOW64\guwnuglbyv.exe	upx
\Windows\SysWOW64\yqibxrycsdtwnli.exe	upx
C:\Windows\SysWOW64\yqibxrycsdtwnli.exe	upx
\Windows\SysWOW64\etxejjuw.exe	upx
C:\Windows\SysWOW64\guwnuglbyv.exe	upx
C:\Windows\SysWOW64\yqibxrycsdtwnli.exe	upx
C:\Windows\SysWOW64\etxejjuw.exe	upx
\Windows\SysWOW64\mgxkzaztfqiww.exe	upx
C:\Windows\SysWOW64\etxejjuw.exe	upx
C:\Windows\SysWOW64\mgxkzaztfqiww.exe	upx
C:\Windows\SysWOW64\mgxkzaztfqiww.exe	upx
\Windows\SysWOW64\mgxkzaztfqiww.exe	upx
C:\Windows\SysWOW64\mgxkzaztfqiww.exe	upx
behavioral1/memory/1992-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1424-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1152-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1116-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1788-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\etxejjuw.exe	upx
C:\Windows\SysWOW64\etxejjuw.exe	upx
behavioral1/memory/1476-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1676-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1992-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1424-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1116-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1152-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1788-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1992-107-0x0000000003830000-0x00000000038D0000-memory.dmp	upx
behavioral1/memory/1676-108-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx

Loads dropped DLL 6 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.execmd.exeguwnuglbyv.exe

pid	process
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1816	cmd.exe
1992	guwnuglbyv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

guwnuglbyv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	guwnuglbyv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yqibxrycsdtwnli.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gqymhnqk = "guwnuglbyv.exe"	yqibxrycsdtwnli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\evyuknzk = "yqibxrycsdtwnli.exe"	yqibxrycsdtwnli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mgxkzaztfqiww.exe"	yqibxrycsdtwnli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	yqibxrycsdtwnli.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

etxejjuw.exeetxejjuw.exeguwnuglbyv.exe

description	ioc	process
File opened (read-only)	\??\l:	etxejjuw.exe
File opened (read-only)	\??\r:	etxejjuw.exe
File opened (read-only)	\??\p:	etxejjuw.exe
File opened (read-only)	\??\z:	etxejjuw.exe
File opened (read-only)	\??\m:	etxejjuw.exe
File opened (read-only)	\??\i:	etxejjuw.exe
File opened (read-only)	\??\w:	etxejjuw.exe
File opened (read-only)	\??\x:	etxejjuw.exe
File opened (read-only)	\??\n:	etxejjuw.exe
File opened (read-only)	\??\h:	etxejjuw.exe
File opened (read-only)	\??\g:	guwnuglbyv.exe
File opened (read-only)	\??\q:	guwnuglbyv.exe
File opened (read-only)	\??\o:	etxejjuw.exe
File opened (read-only)	\??\q:	etxejjuw.exe
File opened (read-only)	\??\e:	etxejjuw.exe
File opened (read-only)	\??\y:	etxejjuw.exe
File opened (read-only)	\??\f:	guwnuglbyv.exe
File opened (read-only)	\??\i:	guwnuglbyv.exe
File opened (read-only)	\??\u:	guwnuglbyv.exe
File opened (read-only)	\??\v:	guwnuglbyv.exe
File opened (read-only)	\??\p:	etxejjuw.exe
File opened (read-only)	\??\k:	etxejjuw.exe
File opened (read-only)	\??\u:	etxejjuw.exe
File opened (read-only)	\??\e:	guwnuglbyv.exe
File opened (read-only)	\??\t:	guwnuglbyv.exe
File opened (read-only)	\??\w:	guwnuglbyv.exe
File opened (read-only)	\??\t:	etxejjuw.exe
File opened (read-only)	\??\r:	etxejjuw.exe
File opened (read-only)	\??\j:	guwnuglbyv.exe
File opened (read-only)	\??\k:	etxejjuw.exe
File opened (read-only)	\??\q:	etxejjuw.exe
File opened (read-only)	\??\a:	guwnuglbyv.exe
File opened (read-only)	\??\o:	guwnuglbyv.exe
File opened (read-only)	\??\z:	guwnuglbyv.exe
File opened (read-only)	\??\b:	etxejjuw.exe
File opened (read-only)	\??\g:	etxejjuw.exe
File opened (read-only)	\??\i:	etxejjuw.exe
File opened (read-only)	\??\o:	etxejjuw.exe
File opened (read-only)	\??\s:	etxejjuw.exe
File opened (read-only)	\??\r:	guwnuglbyv.exe
File opened (read-only)	\??\s:	guwnuglbyv.exe
File opened (read-only)	\??\j:	etxejjuw.exe
File opened (read-only)	\??\s:	etxejjuw.exe
File opened (read-only)	\??\h:	etxejjuw.exe
File opened (read-only)	\??\g:	etxejjuw.exe
File opened (read-only)	\??\l:	etxejjuw.exe
File opened (read-only)	\??\y:	etxejjuw.exe
File opened (read-only)	\??\j:	etxejjuw.exe
File opened (read-only)	\??\b:	guwnuglbyv.exe
File opened (read-only)	\??\h:	guwnuglbyv.exe
File opened (read-only)	\??\m:	guwnuglbyv.exe
File opened (read-only)	\??\y:	guwnuglbyv.exe
File opened (read-only)	\??\b:	etxejjuw.exe
File opened (read-only)	\??\v:	etxejjuw.exe
File opened (read-only)	\??\v:	etxejjuw.exe
File opened (read-only)	\??\w:	etxejjuw.exe
File opened (read-only)	\??\x:	etxejjuw.exe
File opened (read-only)	\??\l:	guwnuglbyv.exe
File opened (read-only)	\??\u:	etxejjuw.exe
File opened (read-only)	\??\a:	etxejjuw.exe
File opened (read-only)	\??\t:	etxejjuw.exe
File opened (read-only)	\??\n:	guwnuglbyv.exe
File opened (read-only)	\??\x:	guwnuglbyv.exe
File opened (read-only)	\??\a:	etxejjuw.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

guwnuglbyv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	guwnuglbyv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	guwnuglbyv.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1476-56-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1992-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1424-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1152-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1116-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1788-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1476-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1676-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1992-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1424-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1116-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1152-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1788-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1992-107-0x0000000003830000-0x00000000038D0000-memory.dmp	autoit_exe
behavioral1/memory/1676-108-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeguwnuglbyv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\mgxkzaztfqiww.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	guwnuglbyv.exe
File created	C:\Windows\SysWOW64\guwnuglbyv.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File opened for modification	C:\Windows\SysWOW64\guwnuglbyv.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File created	C:\Windows\SysWOW64\yqibxrycsdtwnli.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File created	C:\Windows\SysWOW64\etxejjuw.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File created	C:\Windows\SysWOW64\mgxkzaztfqiww.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File opened for modification	C:\Windows\SysWOW64\yqibxrycsdtwnli.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File opened for modification	C:\Windows\SysWOW64\etxejjuw.exe	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe

Drops file in Program Files directory 15 IoCs

Processes:

etxejjuw.exeetxejjuw.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	etxejjuw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etxejjuw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etxejjuw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	etxejjuw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	etxejjuw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etxejjuw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	etxejjuw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	etxejjuw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	etxejjuw.exe

Drops file in Windows directory 4 IoCs

Processes:

WINWORD.EXEa92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe

description	ioc	process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEexplorer.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeWINWORD.EXEexplorer.exeguwnuglbyv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1845C70C1490DBBEB8CF7C93EC9434BB"	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFFFB4F28851A9032D75F7EE6BC90E1345846674E6242D6EA"	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D7D9D5583516D4276D770532CDC7C8765DF"	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBCF9CCF964F1E084783A4381EB3992B38C02F04213023EE1BF42EC08A3"	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	guwnuglbyv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	guwnuglbyv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

560 WINWORD.EXE

pid	process
560	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exeguwnuglbyv.exemgxkzaztfqiww.exeetxejjuw.exe

pid	process
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1676	etxejjuw.exe
1676	etxejjuw.exe
1676	etxejjuw.exe
1676	etxejjuw.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1424	yqibxrycsdtwnli.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1424	yqibxrycsdtwnli.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1424	yqibxrycsdtwnli.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1424	yqibxrycsdtwnli.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1424	yqibxrycsdtwnli.exe
1788	mgxkzaztfqiww.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

explorer.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: 33	268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	268	AUDIODG.EXE
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe
Token: SeShutdownPrivilege	1528	explorer.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeguwnuglbyv.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exemgxkzaztfqiww.exeetxejjuw.exeexplorer.exe

pid	process
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1788	mgxkzaztfqiww.exe
1676	etxejjuw.exe
1676	etxejjuw.exe
1676	etxejjuw.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe

Suspicious use of SendNotifyMessage 41 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeguwnuglbyv.exeyqibxrycsdtwnli.exeetxejjuw.exemgxkzaztfqiww.exeexplorer.exe

pid	process
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1992	guwnuglbyv.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1424	yqibxrycsdtwnli.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1152	etxejjuw.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1116	mgxkzaztfqiww.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

560 WINWORD.EXE
560 WINWORD.EXE

pid	process
560	WINWORD.EXE
560	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exeyqibxrycsdtwnli.execmd.exeguwnuglbyv.exe

description	pid	process	target process
PID 1476 wrote to memory of 1992	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	guwnuglbyv.exe
PID 1476 wrote to memory of 1992	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	guwnuglbyv.exe
PID 1476 wrote to memory of 1992	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	guwnuglbyv.exe
PID 1476 wrote to memory of 1992	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	guwnuglbyv.exe
PID 1476 wrote to memory of 1424	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	yqibxrycsdtwnli.exe
PID 1476 wrote to memory of 1424	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	yqibxrycsdtwnli.exe
PID 1476 wrote to memory of 1424	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	yqibxrycsdtwnli.exe
PID 1476 wrote to memory of 1424	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	yqibxrycsdtwnli.exe
PID 1476 wrote to memory of 1152	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	etxejjuw.exe
PID 1476 wrote to memory of 1152	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	etxejjuw.exe
PID 1476 wrote to memory of 1152	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	etxejjuw.exe
PID 1476 wrote to memory of 1152	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	etxejjuw.exe
PID 1476 wrote to memory of 1116	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	mgxkzaztfqiww.exe
PID 1476 wrote to memory of 1116	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	mgxkzaztfqiww.exe
PID 1476 wrote to memory of 1116	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	mgxkzaztfqiww.exe
PID 1476 wrote to memory of 1116	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	mgxkzaztfqiww.exe
PID 1424 wrote to memory of 1816	1424	yqibxrycsdtwnli.exe	cmd.exe
PID 1424 wrote to memory of 1816	1424	yqibxrycsdtwnli.exe	cmd.exe
PID 1424 wrote to memory of 1816	1424	yqibxrycsdtwnli.exe	cmd.exe
PID 1424 wrote to memory of 1816	1424	yqibxrycsdtwnli.exe	cmd.exe
PID 1816 wrote to memory of 1788	1816	cmd.exe	mgxkzaztfqiww.exe
PID 1816 wrote to memory of 1788	1816	cmd.exe	mgxkzaztfqiww.exe
PID 1816 wrote to memory of 1788	1816	cmd.exe	mgxkzaztfqiww.exe
PID 1816 wrote to memory of 1788	1816	cmd.exe	mgxkzaztfqiww.exe
PID 1992 wrote to memory of 1676	1992	guwnuglbyv.exe	etxejjuw.exe
PID 1992 wrote to memory of 1676	1992	guwnuglbyv.exe	etxejjuw.exe
PID 1992 wrote to memory of 1676	1992	guwnuglbyv.exe	etxejjuw.exe
PID 1992 wrote to memory of 1676	1992	guwnuglbyv.exe	etxejjuw.exe
PID 1476 wrote to memory of 560	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	WINWORD.EXE
PID 1476 wrote to memory of 560	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	WINWORD.EXE
PID 1476 wrote to memory of 560	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	WINWORD.EXE
PID 1476 wrote to memory of 560	1476	a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe
"C:\Users\Admin\AppData\Local\Temp\a92514ed93e63ae328a4d76c881a975b8baebfcc17fb19c4428e0eae2c01ba78.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\guwnuglbyv.exe
guwnuglbyv.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\etxejjuw.exe
C:\Windows\system32\etxejjuw.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1676

C:\Windows\SysWOW64\yqibxrycsdtwnli.exe
yqibxrycsdtwnli.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c mgxkzaztfqiww.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\mgxkzaztfqiww.exe
mgxkzaztfqiww.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1788

C:\Windows\SysWOW64\etxejjuw.exe
etxejjuw.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152

C:\Windows\SysWOW64\mgxkzaztfqiww.exe
mgxkzaztfqiww.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:560

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x598
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe
Filesize
255KB

MD5
2ecea368036e95912332cb5318a66665

SHA1
f0dc6819c370eb8c39ec863d0aa41691eb224aa1

SHA256
f4967889a1e947c511f1718bba457662489a9d4fa9aaf4b67de849f08da129e5

SHA512
15f934c1b74225e402935db4805be4bbe09f9bf187a9ae588063ae61ec8fd3df83586a03fa5d9b6b68f89c0e5336e94b5951f07863c3637630aeb0c7a0cf57c8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe
Filesize
255KB

MD5
844834a557b8135250bab951d1996f81

SHA1
0bc5dfcebc7518d83891d7c5bc3efea02b8b8f35

SHA256
0d06333303ff8341eb79c5c5ce9e2135d0c0100f65b409878680dd1d7e2f6f6e

SHA512
3b444ff6e4d5e4a0938fa1c804414cd01cd9b354631126b405e46311a64b3f2d16fc046e661381f2086fb71c52f7be5bed5ceec6d895d171d4a6f432b399aa85

Download Submit
C:\Windows\SysWOW64\etxejjuw.exe
Filesize
255KB

MD5
f94d674a91ec38e870baed8253765994

SHA1
10d7b0681e48aa82465e6915d299847bec701c6f

SHA256
cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb

SHA512
e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967

Download Submit
C:\Windows\SysWOW64\etxejjuw.exe
Filesize
255KB

MD5
f94d674a91ec38e870baed8253765994

SHA1
10d7b0681e48aa82465e6915d299847bec701c6f

SHA256
cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb

SHA512
e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967

Download Submit
C:\Windows\SysWOW64\etxejjuw.exe
Filesize
255KB

MD5
f94d674a91ec38e870baed8253765994

SHA1
10d7b0681e48aa82465e6915d299847bec701c6f

SHA256
cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb

SHA512
e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967

Download Submit
C:\Windows\SysWOW64\guwnuglbyv.exe
Filesize
255KB

MD5
2bb81a2b18e4175ddb3a69baf6702d5d

SHA1
da82daedcaef411b23fc96e759705cba4211de25

SHA256
8d470d415a83821d474c95a450d6c06433c0e311a5925ee35aa3a288cbf6ba02

SHA512
259430bd90425afb8a1bc372aa15c4e6e42ceb27383fc407e2f7c321c16cda02970b413628e37ee396940f76ed861a4d0247b082430537e7cfb31695b66f8796

Download Submit
C:\Windows\SysWOW64\guwnuglbyv.exe
Filesize
255KB

MD5
2bb81a2b18e4175ddb3a69baf6702d5d

SHA1
da82daedcaef411b23fc96e759705cba4211de25

SHA256
8d470d415a83821d474c95a450d6c06433c0e311a5925ee35aa3a288cbf6ba02

SHA512
259430bd90425afb8a1bc372aa15c4e6e42ceb27383fc407e2f7c321c16cda02970b413628e37ee396940f76ed861a4d0247b082430537e7cfb31695b66f8796

Download Submit
C:\Windows\SysWOW64\mgxkzaztfqiww.exe
Filesize
255KB

MD5
1d494fb97b1173af2ada43b18cb3fdc3

SHA1
2fda4aea53ffdbdc4744e0339667a759f265a111

SHA256
e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d

SHA512
7507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7

Download Submit
C:\Windows\SysWOW64\mgxkzaztfqiww.exe
Filesize
255KB

MD5
1d494fb97b1173af2ada43b18cb3fdc3

SHA1
2fda4aea53ffdbdc4744e0339667a759f265a111

SHA256
e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d

SHA512
7507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7

Download Submit
C:\Windows\SysWOW64\mgxkzaztfqiww.exe
Filesize
255KB

MD5
1d494fb97b1173af2ada43b18cb3fdc3

SHA1
2fda4aea53ffdbdc4744e0339667a759f265a111

SHA256
e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d

SHA512
7507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7

Download Submit
C:\Windows\SysWOW64\yqibxrycsdtwnli.exe
Filesize
255KB

MD5
fe9414349c77d1317d87ff8e9c1c0216

SHA1
74b1b6616d5cf1713ca5bca03686d7e9965b3884

SHA256
25cf8ee77b84d14e7d8cbc6ee7302a272c0fbd9e8239766fcf8385762427d241

SHA512
6843a28b674191f46173f0cf895a977a2d9a0a5230738de76e60521d8d0cb9e149fc3bd176aab34cfce4303f691996277c0c09af6e4184121378ada0bb7afd4c

Download Submit
C:\Windows\SysWOW64\yqibxrycsdtwnli.exe
Filesize
255KB

MD5
fe9414349c77d1317d87ff8e9c1c0216

SHA1
74b1b6616d5cf1713ca5bca03686d7e9965b3884

SHA256
25cf8ee77b84d14e7d8cbc6ee7302a272c0fbd9e8239766fcf8385762427d241

SHA512
6843a28b674191f46173f0cf895a977a2d9a0a5230738de76e60521d8d0cb9e149fc3bd176aab34cfce4303f691996277c0c09af6e4184121378ada0bb7afd4c

Download Submit
C:\Windows\mydoc.rtf
Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\etxejjuw.exe
Filesize
255KB

MD5
f94d674a91ec38e870baed8253765994

SHA1
10d7b0681e48aa82465e6915d299847bec701c6f

SHA256
cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb

SHA512
e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967

Download Submit
\Windows\SysWOW64\etxejjuw.exe
Filesize
255KB

MD5
f94d674a91ec38e870baed8253765994

SHA1
10d7b0681e48aa82465e6915d299847bec701c6f

SHA256
cbb8fb4b3093bad7e5ed10499d8c37634dbf913c7e23fbe8a4fca799a33903cb

SHA512
e0777ca431832da7e7b7c6ef48d048adb94e28e0084661d0a1befddcf89570f7484aad6da957752897e26a9aacff63b86f0f12b90658a8da4021358e8b0e1967

Download Submit
\Windows\SysWOW64\guwnuglbyv.exe
Filesize
255KB

MD5
2bb81a2b18e4175ddb3a69baf6702d5d

SHA1
da82daedcaef411b23fc96e759705cba4211de25

SHA256
8d470d415a83821d474c95a450d6c06433c0e311a5925ee35aa3a288cbf6ba02

SHA512
259430bd90425afb8a1bc372aa15c4e6e42ceb27383fc407e2f7c321c16cda02970b413628e37ee396940f76ed861a4d0247b082430537e7cfb31695b66f8796

Download Submit
\Windows\SysWOW64\mgxkzaztfqiww.exe
Filesize
255KB

MD5
1d494fb97b1173af2ada43b18cb3fdc3

SHA1
2fda4aea53ffdbdc4744e0339667a759f265a111

SHA256
e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d

SHA512
7507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7

Download Submit
\Windows\SysWOW64\mgxkzaztfqiww.exe
Filesize
255KB

MD5
1d494fb97b1173af2ada43b18cb3fdc3

SHA1
2fda4aea53ffdbdc4744e0339667a759f265a111

SHA256
e1e0523e73b3b74f53eaad7da3d516ebd4ec745145eec4188d9fb66246a5c41d

SHA512
7507fc4a1e1192b75dc3be02dcfd62396380542b06df608a83d6aeeaf058f3c92e0aa6c6df1c902ba02540a9b89296898ed3f6102cfdfe386900fdb1675e17b7

Download Submit
\Windows\SysWOW64\yqibxrycsdtwnli.exe
Filesize
255KB

MD5
fe9414349c77d1317d87ff8e9c1c0216

SHA1
74b1b6616d5cf1713ca5bca03686d7e9965b3884

SHA256
25cf8ee77b84d14e7d8cbc6ee7302a272c0fbd9e8239766fcf8385762427d241

SHA512
6843a28b674191f46173f0cf895a977a2d9a0a5230738de76e60521d8d0cb9e149fc3bd176aab34cfce4303f691996277c0c09af6e4184121378ada0bb7afd4c

Download Submit
memory/560-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/560-92-0x0000000000000000-mapping.dmp

Download
memory/560-109-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/560-99-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/560-96-0x0000000070881000-0x0000000070883000-memory.dmp

Filesize
8KB

Download
memory/560-94-0x0000000072E01000-0x0000000072E04000-memory.dmp

Filesize
12KB

Download
memory/1116-73-0x0000000000000000-mapping.dmp

Download
memory/1116-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1116-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1152-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1152-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1152-67-0x0000000000000000-mapping.dmp

Download
memory/1424-62-0x0000000000000000-mapping.dmp

Download
memory/1424-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1424-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1476-83-0x0000000002FA0000-0x0000000003040000-memory.dmp

Filesize
640KB

Download
memory/1476-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1476-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1476-57-0x0000000002FA0000-0x0000000003040000-memory.dmp

Filesize
640KB

Download
memory/1528-97-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/1528-112-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/1676-108-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1676-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1676-89-0x0000000000000000-mapping.dmp

Download
memory/1788-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1788-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1788-79-0x0000000000000000-mapping.dmp

Download
memory/1816-77-0x0000000000000000-mapping.dmp

Download
memory/1992-107-0x0000000003830000-0x00000000038D0000-memory.dmp

Filesize
640KB

Download
memory/1992-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1992-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1992-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads