Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
174s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 10:43
Behavioral task
behavioral1
Sample
eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
Resource
win7-20221111-en
General
-
Target
eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe
-
Size
255KB
-
MD5
40527cd1cd4784f0e47dbc5b3a05b600
-
SHA1
2b0e60502ecbd26bb3c4b8da6fdaa15a894a9fb8
-
SHA256
eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e
-
SHA512
665e47ead615771fd1dc95bb8661adbc534f1a93c6e2fc5b223f9e23e86c39e01e2623002ad9608880505bf07a8354efdb4975bba15e4c7b61dd706620796e43
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJq:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIp
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" trhwfxawbv.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" trhwfxawbv.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" trhwfxawbv.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" trhwfxawbv.exe -
Executes dropped EXE 6 IoCs
pid Process 876 trhwfxawbv.exe 596 vozdcdifynpetqo.exe 580 cjyvphab.exe 1804 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1284 cjyvphab.exe -
resource yara_rule behavioral1/memory/960-54-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/960-56-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00090000000141fc-57.dat upx behavioral1/files/0x00090000000141fc-59.dat upx behavioral1/files/0x00090000000141fc-61.dat upx behavioral1/files/0x0008000000014247-62.dat upx behavioral1/files/0x0008000000014247-64.dat upx behavioral1/files/0x0008000000014247-66.dat upx behavioral1/files/0x00070000000142e0-67.dat upx behavioral1/files/0x00070000000142e0-69.dat upx behavioral1/files/0x00070000000143b0-71.dat upx behavioral1/files/0x00070000000142e0-73.dat upx behavioral1/files/0x00070000000143b0-74.dat upx behavioral1/files/0x00070000000143b0-76.dat upx behavioral1/files/0x00070000000143b0-78.dat upx behavioral1/files/0x00070000000143b0-80.dat upx behavioral1/memory/876-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/596-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1804-86-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/580-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/964-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00070000000142e0-88.dat upx behavioral1/files/0x00070000000142e0-90.dat upx behavioral1/memory/1284-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/960-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/876-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/596-102-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1804-104-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/580-103-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/964-105-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1284-106-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x00060000000153cf-110.dat upx behavioral1/files/0x00060000000153cf-111.dat upx behavioral1/files/0x00060000000155b6-112.dat upx -
Loads dropped DLL 6 IoCs
pid Process 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 840 cmd.exe 876 trhwfxawbv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" trhwfxawbv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jsuralvd = "trhwfxawbv.exe" vozdcdifynpetqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mezzbpgf = "vozdcdifynpetqo.exe" vozdcdifynpetqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dqweumtibjkjt.exe" vozdcdifynpetqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run vozdcdifynpetqo.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: trhwfxawbv.exe File opened (read-only) \??\t: trhwfxawbv.exe File opened (read-only) \??\t: cjyvphab.exe File opened (read-only) \??\y: cjyvphab.exe File opened (read-only) \??\f: cjyvphab.exe File opened (read-only) \??\i: cjyvphab.exe File opened (read-only) \??\n: trhwfxawbv.exe File opened (read-only) \??\j: cjyvphab.exe File opened (read-only) \??\o: trhwfxawbv.exe File opened (read-only) \??\e: cjyvphab.exe File opened (read-only) \??\g: cjyvphab.exe File opened (read-only) \??\j: cjyvphab.exe File opened (read-only) \??\l: cjyvphab.exe File opened (read-only) \??\p: cjyvphab.exe File opened (read-only) \??\q: cjyvphab.exe File opened (read-only) \??\z: cjyvphab.exe File opened (read-only) \??\b: cjyvphab.exe File opened (read-only) \??\f: cjyvphab.exe File opened (read-only) \??\q: cjyvphab.exe File opened (read-only) \??\w: cjyvphab.exe File opened (read-only) \??\m: cjyvphab.exe File opened (read-only) \??\e: cjyvphab.exe File opened (read-only) \??\r: cjyvphab.exe File opened (read-only) \??\a: cjyvphab.exe File opened (read-only) \??\h: cjyvphab.exe File opened (read-only) \??\z: trhwfxawbv.exe File opened (read-only) \??\l: cjyvphab.exe File opened (read-only) \??\u: cjyvphab.exe File opened (read-only) \??\h: cjyvphab.exe File opened (read-only) \??\k: trhwfxawbv.exe File opened (read-only) \??\q: trhwfxawbv.exe File opened (read-only) \??\y: trhwfxawbv.exe File opened (read-only) \??\i: trhwfxawbv.exe File opened (read-only) \??\m: trhwfxawbv.exe File opened (read-only) \??\g: cjyvphab.exe File opened (read-only) \??\n: cjyvphab.exe File opened (read-only) \??\o: cjyvphab.exe File opened (read-only) \??\f: trhwfxawbv.exe File opened (read-only) \??\t: cjyvphab.exe File opened (read-only) \??\l: trhwfxawbv.exe File opened (read-only) \??\w: trhwfxawbv.exe File opened (read-only) \??\p: cjyvphab.exe File opened (read-only) \??\r: cjyvphab.exe File opened (read-only) \??\a: cjyvphab.exe File opened (read-only) \??\b: trhwfxawbv.exe File opened (read-only) \??\r: trhwfxawbv.exe File opened (read-only) \??\s: trhwfxawbv.exe File opened (read-only) \??\x: cjyvphab.exe File opened (read-only) \??\y: cjyvphab.exe File opened (read-only) \??\i: cjyvphab.exe File opened (read-only) \??\o: cjyvphab.exe File opened (read-only) \??\v: cjyvphab.exe File opened (read-only) \??\z: cjyvphab.exe File opened (read-only) \??\h: trhwfxawbv.exe File opened (read-only) \??\j: trhwfxawbv.exe File opened (read-only) \??\u: trhwfxawbv.exe File opened (read-only) \??\s: cjyvphab.exe File opened (read-only) \??\u: cjyvphab.exe File opened (read-only) \??\v: cjyvphab.exe File opened (read-only) \??\x: cjyvphab.exe File opened (read-only) \??\x: trhwfxawbv.exe File opened (read-only) \??\v: trhwfxawbv.exe File opened (read-only) \??\n: cjyvphab.exe File opened (read-only) \??\s: cjyvphab.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" trhwfxawbv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" trhwfxawbv.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/960-56-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/876-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/596-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1804-86-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/580-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/964-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1284-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/960-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/876-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/596-102-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1804-104-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/580-103-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/964-105-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1284-106-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\cjyvphab.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File opened for modification C:\Windows\SysWOW64\dqweumtibjkjt.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File created C:\Windows\SysWOW64\trhwfxawbv.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File created C:\Windows\SysWOW64\vozdcdifynpetqo.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File opened for modification C:\Windows\SysWOW64\vozdcdifynpetqo.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File opened for modification C:\Windows\SysWOW64\cjyvphab.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File created C:\Windows\SysWOW64\dqweumtibjkjt.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll trhwfxawbv.exe File opened for modification C:\Windows\SysWOW64\trhwfxawbv.exe eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cjyvphab.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cjyvphab.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal cjyvphab.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal cjyvphab.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal cjyvphab.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cjyvphab.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cjyvphab.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe cjyvphab.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe cjyvphab.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B6FF1822DAD208D0A28B7F9111" eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs trhwfxawbv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf trhwfxawbv.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABBFE67F1E283083B4586EB3997B3FD02FA4268033CE2CA459A08A5" eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" trhwfxawbv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472D7A9C2182586A4377A770272DD97DF565DF" eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" trhwfxawbv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 580 cjyvphab.exe 580 cjyvphab.exe 580 cjyvphab.exe 580 cjyvphab.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 596 vozdcdifynpetqo.exe 1284 cjyvphab.exe 1284 cjyvphab.exe 1284 cjyvphab.exe 1284 cjyvphab.exe 596 vozdcdifynpetqo.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 596 vozdcdifynpetqo.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 596 vozdcdifynpetqo.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 596 vozdcdifynpetqo.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 596 vozdcdifynpetqo.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 596 vozdcdifynpetqo.exe 964 dqweumtibjkjt.exe -
Suspicious use of FindShellTrayWindow 22 IoCs
pid Process 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 580 cjyvphab.exe 580 cjyvphab.exe 580 cjyvphab.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1284 cjyvphab.exe 1284 cjyvphab.exe 1284 cjyvphab.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 876 trhwfxawbv.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 596 vozdcdifynpetqo.exe 580 cjyvphab.exe 580 cjyvphab.exe 580 cjyvphab.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 1804 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 964 dqweumtibjkjt.exe 1284 cjyvphab.exe 1284 cjyvphab.exe 1284 cjyvphab.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1648 WINWORD.EXE 1648 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 960 wrote to memory of 876 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 28 PID 960 wrote to memory of 876 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 28 PID 960 wrote to memory of 876 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 28 PID 960 wrote to memory of 876 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 28 PID 960 wrote to memory of 596 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 29 PID 960 wrote to memory of 596 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 29 PID 960 wrote to memory of 596 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 29 PID 960 wrote to memory of 596 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 29 PID 960 wrote to memory of 580 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 30 PID 960 wrote to memory of 580 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 30 PID 960 wrote to memory of 580 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 30 PID 960 wrote to memory of 580 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 30 PID 960 wrote to memory of 1804 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 31 PID 960 wrote to memory of 1804 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 31 PID 960 wrote to memory of 1804 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 31 PID 960 wrote to memory of 1804 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 31 PID 596 wrote to memory of 840 596 vozdcdifynpetqo.exe 32 PID 596 wrote to memory of 840 596 vozdcdifynpetqo.exe 32 PID 596 wrote to memory of 840 596 vozdcdifynpetqo.exe 32 PID 596 wrote to memory of 840 596 vozdcdifynpetqo.exe 32 PID 840 wrote to memory of 964 840 cmd.exe 34 PID 840 wrote to memory of 964 840 cmd.exe 34 PID 840 wrote to memory of 964 840 cmd.exe 34 PID 840 wrote to memory of 964 840 cmd.exe 34 PID 876 wrote to memory of 1284 876 trhwfxawbv.exe 35 PID 876 wrote to memory of 1284 876 trhwfxawbv.exe 35 PID 876 wrote to memory of 1284 876 trhwfxawbv.exe 35 PID 876 wrote to memory of 1284 876 trhwfxawbv.exe 35 PID 960 wrote to memory of 1648 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 36 PID 960 wrote to memory of 1648 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 36 PID 960 wrote to memory of 1648 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 36 PID 960 wrote to memory of 1648 960 eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe 36 PID 1648 wrote to memory of 1148 1648 WINWORD.EXE 40 PID 1648 wrote to memory of 1148 1648 WINWORD.EXE 40 PID 1648 wrote to memory of 1148 1648 WINWORD.EXE 40 PID 1648 wrote to memory of 1148 1648 WINWORD.EXE 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe"C:\Users\Admin\AppData\Local\Temp\eff2650df4553efad1a2d33639d4cc5882f4f3c9c6f86c083142f4224b41a29e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\trhwfxawbv.exetrhwfxawbv.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cjyvphab.exeC:\Windows\system32\cjyvphab.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284
-
-
-
C:\Windows\SysWOW64\vozdcdifynpetqo.exevozdcdifynpetqo.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\SysWOW64\cmd.execmd.exe /c dqweumtibjkjt.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\dqweumtibjkjt.exedqweumtibjkjt.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964
-
-
-
-
C:\Windows\SysWOW64\cjyvphab.execjyvphab.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:580
-
-
C:\Windows\SysWOW64\dqweumtibjkjt.exedqweumtibjkjt.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1804
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1148
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD52aa760288e8e018d37f53f69c8e61c36
SHA12fe02f57e11d60fbeb724224e064272963693f14
SHA256a8f33c4fda00f8cd44a67d62e7237908d3c29f2241c624fd8756493f115c7a9a
SHA512d2929d8df7fc693be4a967e0f36b9474a750cae39ef11196591c9f4038716cec3e593463d73e42b7c8a751adcbc8d054ce608848a63abcafcebf2d52e6266d72
-
Filesize
255KB
MD52aa760288e8e018d37f53f69c8e61c36
SHA12fe02f57e11d60fbeb724224e064272963693f14
SHA256a8f33c4fda00f8cd44a67d62e7237908d3c29f2241c624fd8756493f115c7a9a
SHA512d2929d8df7fc693be4a967e0f36b9474a750cae39ef11196591c9f4038716cec3e593463d73e42b7c8a751adcbc8d054ce608848a63abcafcebf2d52e6266d72
-
Filesize
255KB
MD5d926092c82719b70e0d273964045abb9
SHA1266f79d4978ed79c76dce4c7df52b1f689a96f56
SHA25672a3dde2b0d126916749208d8556cb622a0a38e87cd1b79a6b8693056a0a06e3
SHA512ba60e2e1843eb9eb92e65022dba5d7f10b24d0fcb4599252175533ba8ba9cbf5e711f6c61765b1195b028e94656920c4771b74ea286c9d3cbc382f346051e369
-
Filesize
255KB
MD5167b735e1b45bcc049df3098218262cb
SHA143bf45d1fe52904ba515a5fea8269bd3cd308e18
SHA256b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a
SHA512498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0
-
Filesize
255KB
MD5167b735e1b45bcc049df3098218262cb
SHA143bf45d1fe52904ba515a5fea8269bd3cd308e18
SHA256b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a
SHA512498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0
-
Filesize
255KB
MD5167b735e1b45bcc049df3098218262cb
SHA143bf45d1fe52904ba515a5fea8269bd3cd308e18
SHA256b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a
SHA512498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0
-
Filesize
255KB
MD50f8d703fa2a1f1fed255438095bb8de5
SHA16ef9f0fe1804654530f7b3b3e0d6407c6ed48092
SHA2565f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981
SHA5121d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6
-
Filesize
255KB
MD50f8d703fa2a1f1fed255438095bb8de5
SHA16ef9f0fe1804654530f7b3b3e0d6407c6ed48092
SHA2565f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981
SHA5121d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6
-
Filesize
255KB
MD50f8d703fa2a1f1fed255438095bb8de5
SHA16ef9f0fe1804654530f7b3b3e0d6407c6ed48092
SHA2565f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981
SHA5121d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6
-
Filesize
255KB
MD5d3d5c901c498b81487597a27236e3be4
SHA191fd9a57a88e9b1687d06f8c6b0a8f5963c9c97b
SHA256850164962ec7ac3263fc2d01f957f5d527e5c3d43a0e52babf781f96fc1288c5
SHA512a848679d64d8cedc55fbbd4a942c18e1151132671459d39b5922a27c630d3011a95d2aa57b9ef8b60f06809c40f983f5df4db7cfe09b3ac2f0ec07eb6531725e
-
Filesize
255KB
MD5d3d5c901c498b81487597a27236e3be4
SHA191fd9a57a88e9b1687d06f8c6b0a8f5963c9c97b
SHA256850164962ec7ac3263fc2d01f957f5d527e5c3d43a0e52babf781f96fc1288c5
SHA512a848679d64d8cedc55fbbd4a942c18e1151132671459d39b5922a27c630d3011a95d2aa57b9ef8b60f06809c40f983f5df4db7cfe09b3ac2f0ec07eb6531725e
-
Filesize
255KB
MD50a2befbff90d167ccf2159b4f124f62a
SHA1e206b671a975a609cd4d540f31dfc18dc528ddac
SHA25618247e1999fe5e4034109618de89bb3def33d6e8930cf27d08268c04aa8dd8e1
SHA51222a477acbf61119eb3f740aaf620570e7a789d7114e3a28683fffb68086e9337ab926bca36a28eccd0c83400482342ab13a36388fc1f161053fb350655d5acc5
-
Filesize
255KB
MD50a2befbff90d167ccf2159b4f124f62a
SHA1e206b671a975a609cd4d540f31dfc18dc528ddac
SHA25618247e1999fe5e4034109618de89bb3def33d6e8930cf27d08268c04aa8dd8e1
SHA51222a477acbf61119eb3f740aaf620570e7a789d7114e3a28683fffb68086e9337ab926bca36a28eccd0c83400482342ab13a36388fc1f161053fb350655d5acc5
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD5167b735e1b45bcc049df3098218262cb
SHA143bf45d1fe52904ba515a5fea8269bd3cd308e18
SHA256b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a
SHA512498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0
-
Filesize
255KB
MD5167b735e1b45bcc049df3098218262cb
SHA143bf45d1fe52904ba515a5fea8269bd3cd308e18
SHA256b2c1b95eb7c7cc1c55be4d1e1d04855dc1a2c9e309083a373320f25fd2ff6c6a
SHA512498eae782dd2a34537fa53ab0672cf055bf02764c16c8a1c6696512479a5075e7c3d972fa298c5a1195e0cf38b7919a3cd1a1f5b582f8a8ad6aab93dfa39d8e0
-
Filesize
255KB
MD50f8d703fa2a1f1fed255438095bb8de5
SHA16ef9f0fe1804654530f7b3b3e0d6407c6ed48092
SHA2565f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981
SHA5121d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6
-
Filesize
255KB
MD50f8d703fa2a1f1fed255438095bb8de5
SHA16ef9f0fe1804654530f7b3b3e0d6407c6ed48092
SHA2565f486a2b6fc7331e531827cdc2848f540710c16a5211131d6972cafcc5941981
SHA5121d3052dd106a7f35353a6b91adac50117fdac4a3336d34d0bb772592a9ae0d16f7a5106fe2a6c0ccc13f0be2c09ac667877837dd914df6b4e047cb9c44bba4e6
-
Filesize
255KB
MD5d3d5c901c498b81487597a27236e3be4
SHA191fd9a57a88e9b1687d06f8c6b0a8f5963c9c97b
SHA256850164962ec7ac3263fc2d01f957f5d527e5c3d43a0e52babf781f96fc1288c5
SHA512a848679d64d8cedc55fbbd4a942c18e1151132671459d39b5922a27c630d3011a95d2aa57b9ef8b60f06809c40f983f5df4db7cfe09b3ac2f0ec07eb6531725e
-
Filesize
255KB
MD50a2befbff90d167ccf2159b4f124f62a
SHA1e206b671a975a609cd4d540f31dfc18dc528ddac
SHA25618247e1999fe5e4034109618de89bb3def33d6e8930cf27d08268c04aa8dd8e1
SHA51222a477acbf61119eb3f740aaf620570e7a789d7114e3a28683fffb68086e9337ab926bca36a28eccd0c83400482342ab13a36388fc1f161053fb350655d5acc5