Analysis
-
max time kernel
151s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:38
Behavioral task
behavioral1
Sample
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe
Resource
win10v2004-20221111-en
General
-
Target
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe
-
Size
255KB
-
MD5
445ebea2dac416aaec5cc891c9bdd5e0
-
SHA1
8741e82486f5e5d1216f5e8d654d97e489f894a2
-
SHA256
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5
-
SHA512
250f9c800c57de35e524e8dfa9d2dfeeb15f48f61ca6bed3875489b9c66228dc78b4f886fe2231da6cbaba0eeed8a74f18b90903f85d9984b5a2a38da24e1fb8
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJj:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIq
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
tcehjetkvg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" tcehjetkvg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
tcehjetkvg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" tcehjetkvg.exe -
Processes:
tcehjetkvg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tcehjetkvg.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
tcehjetkvg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" tcehjetkvg.exe -
Executes dropped EXE 5 IoCs
Processes:
tcehjetkvg.exewqvmjvxoksatzze.exefypnvucx.exebsyhsyqsdriio.exefypnvucx.exepid process 824 tcehjetkvg.exe 936 wqvmjvxoksatzze.exe 2040 fypnvucx.exe 2008 bsyhsyqsdriio.exe 320 fypnvucx.exe -
Processes:
resource yara_rule behavioral1/memory/752-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx \Windows\SysWOW64\tcehjetkvg.exe upx C:\Windows\SysWOW64\tcehjetkvg.exe upx C:\Windows\SysWOW64\tcehjetkvg.exe upx \Windows\SysWOW64\wqvmjvxoksatzze.exe upx C:\Windows\SysWOW64\wqvmjvxoksatzze.exe upx \Windows\SysWOW64\fypnvucx.exe upx C:\Windows\SysWOW64\fypnvucx.exe upx \Windows\SysWOW64\bsyhsyqsdriio.exe upx C:\Windows\SysWOW64\wqvmjvxoksatzze.exe upx C:\Windows\SysWOW64\fypnvucx.exe upx C:\Windows\SysWOW64\bsyhsyqsdriio.exe upx C:\Windows\SysWOW64\bsyhsyqsdriio.exe upx \Windows\SysWOW64\fypnvucx.exe upx C:\Windows\SysWOW64\fypnvucx.exe upx behavioral1/memory/824-80-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/936-82-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2040-83-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2008-84-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/320-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/752-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/824-94-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/936-95-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2040-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/2008-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/320-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx -
Loads dropped DLL 5 IoCs
Processes:
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exetcehjetkvg.exepid process 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 824 tcehjetkvg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
tcehjetkvg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" tcehjetkvg.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wqvmjvxoksatzze.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wqvmjvxoksatzze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otnifaes = "tcehjetkvg.exe" wqvmjvxoksatzze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iaqrerot = "wqvmjvxoksatzze.exe" wqvmjvxoksatzze.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bsyhsyqsdriio.exe" wqvmjvxoksatzze.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fypnvucx.exetcehjetkvg.exefypnvucx.exedescription ioc process File opened (read-only) \??\b: fypnvucx.exe File opened (read-only) \??\z: fypnvucx.exe File opened (read-only) \??\o: tcehjetkvg.exe File opened (read-only) \??\z: tcehjetkvg.exe File opened (read-only) \??\e: fypnvucx.exe File opened (read-only) \??\e: fypnvucx.exe File opened (read-only) \??\l: tcehjetkvg.exe File opened (read-only) \??\r: tcehjetkvg.exe File opened (read-only) \??\b: fypnvucx.exe File opened (read-only) \??\s: fypnvucx.exe File opened (read-only) \??\a: fypnvucx.exe File opened (read-only) \??\o: fypnvucx.exe File opened (read-only) \??\q: fypnvucx.exe File opened (read-only) \??\h: tcehjetkvg.exe File opened (read-only) \??\x: tcehjetkvg.exe File opened (read-only) \??\l: fypnvucx.exe File opened (read-only) \??\k: fypnvucx.exe File opened (read-only) \??\n: tcehjetkvg.exe File opened (read-only) \??\v: tcehjetkvg.exe File opened (read-only) \??\x: fypnvucx.exe File opened (read-only) \??\i: tcehjetkvg.exe File opened (read-only) \??\y: tcehjetkvg.exe File opened (read-only) \??\f: fypnvucx.exe File opened (read-only) \??\g: fypnvucx.exe File opened (read-only) \??\j: fypnvucx.exe File opened (read-only) \??\k: fypnvucx.exe File opened (read-only) \??\r: fypnvucx.exe File opened (read-only) \??\u: tcehjetkvg.exe File opened (read-only) \??\t: fypnvucx.exe File opened (read-only) \??\z: fypnvucx.exe File opened (read-only) \??\a: tcehjetkvg.exe File opened (read-only) \??\f: tcehjetkvg.exe File opened (read-only) \??\w: fypnvucx.exe File opened (read-only) \??\t: fypnvucx.exe File opened (read-only) \??\q: tcehjetkvg.exe File opened (read-only) \??\f: fypnvucx.exe File opened (read-only) \??\i: fypnvucx.exe File opened (read-only) \??\u: fypnvucx.exe File opened (read-only) \??\m: fypnvucx.exe File opened (read-only) \??\m: fypnvucx.exe File opened (read-only) \??\i: fypnvucx.exe File opened (read-only) \??\u: fypnvucx.exe File opened (read-only) \??\h: fypnvucx.exe File opened (read-only) \??\l: fypnvucx.exe File opened (read-only) \??\y: fypnvucx.exe File opened (read-only) \??\h: fypnvucx.exe File opened (read-only) \??\g: fypnvucx.exe File opened (read-only) \??\j: fypnvucx.exe File opened (read-only) \??\k: tcehjetkvg.exe File opened (read-only) \??\m: tcehjetkvg.exe File opened (read-only) \??\w: tcehjetkvg.exe File opened (read-only) \??\x: fypnvucx.exe File opened (read-only) \??\p: fypnvucx.exe File opened (read-only) \??\v: fypnvucx.exe File opened (read-only) \??\e: tcehjetkvg.exe File opened (read-only) \??\s: tcehjetkvg.exe File opened (read-only) \??\o: fypnvucx.exe File opened (read-only) \??\v: fypnvucx.exe File opened (read-only) \??\y: fypnvucx.exe File opened (read-only) \??\n: fypnvucx.exe File opened (read-only) \??\s: fypnvucx.exe File opened (read-only) \??\w: fypnvucx.exe File opened (read-only) \??\g: tcehjetkvg.exe File opened (read-only) \??\j: tcehjetkvg.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
tcehjetkvg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" tcehjetkvg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" tcehjetkvg.exe -
AutoIT Executable 12 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/752-55-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/824-80-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/936-82-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2040-83-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2008-84-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/320-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/752-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/824-94-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/936-95-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2040-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/2008-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/320-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
Processes:
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exetcehjetkvg.exedescription ioc process File created C:\Windows\SysWOW64\fypnvucx.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File opened for modification C:\Windows\SysWOW64\fypnvucx.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File created C:\Windows\SysWOW64\bsyhsyqsdriio.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File opened for modification C:\Windows\SysWOW64\bsyhsyqsdriio.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File created C:\Windows\SysWOW64\wqvmjvxoksatzze.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File opened for modification C:\Windows\SysWOW64\tcehjetkvg.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File opened for modification C:\Windows\SysWOW64\wqvmjvxoksatzze.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll tcehjetkvg.exe File created C:\Windows\SysWOW64\tcehjetkvg.exe 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe -
Drops file in Program Files directory 15 IoCs
Processes:
fypnvucx.exefypnvucx.exedescription ioc process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fypnvucx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal fypnvucx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal fypnvucx.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fypnvucx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fypnvucx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal fypnvucx.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fypnvucx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe fypnvucx.exe -
Drops file in Windows directory 5 IoCs
Processes:
WINWORD.EXE6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEtcehjetkvg.exe6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" tcehjetkvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc tcehjetkvg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9F9CCFE6BF194837A3A4781EC39E5B0FB038C4369023DE2C445EA08D6" 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768B1FE6A21D1D209D0D68A7C9010" 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7B9C2C83576A3676D577222CAE7CF164DE" 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" tcehjetkvg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 280 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exetcehjetkvg.exewqvmjvxoksatzze.exefypnvucx.exebsyhsyqsdriio.exefypnvucx.exepid process 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 320 fypnvucx.exe 320 fypnvucx.exe 320 fypnvucx.exe 320 fypnvucx.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 936 wqvmjvxoksatzze.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
Processes:
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exetcehjetkvg.exewqvmjvxoksatzze.exefypnvucx.exebsyhsyqsdriio.exefypnvucx.exepid process 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 320 fypnvucx.exe 320 fypnvucx.exe 320 fypnvucx.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exetcehjetkvg.exewqvmjvxoksatzze.exefypnvucx.exebsyhsyqsdriio.exefypnvucx.exepid process 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 824 tcehjetkvg.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 936 wqvmjvxoksatzze.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2040 fypnvucx.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 2008 bsyhsyqsdriio.exe 320 fypnvucx.exe 320 fypnvucx.exe 320 fypnvucx.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 280 WINWORD.EXE 280 WINWORD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exetcehjetkvg.exeWINWORD.EXEdescription pid process target process PID 752 wrote to memory of 824 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe tcehjetkvg.exe PID 752 wrote to memory of 824 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe tcehjetkvg.exe PID 752 wrote to memory of 824 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe tcehjetkvg.exe PID 752 wrote to memory of 824 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe tcehjetkvg.exe PID 752 wrote to memory of 936 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe wqvmjvxoksatzze.exe PID 752 wrote to memory of 936 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe wqvmjvxoksatzze.exe PID 752 wrote to memory of 936 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe wqvmjvxoksatzze.exe PID 752 wrote to memory of 936 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe wqvmjvxoksatzze.exe PID 752 wrote to memory of 2040 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe fypnvucx.exe PID 752 wrote to memory of 2040 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe fypnvucx.exe PID 752 wrote to memory of 2040 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe fypnvucx.exe PID 752 wrote to memory of 2040 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe fypnvucx.exe PID 752 wrote to memory of 2008 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe bsyhsyqsdriio.exe PID 752 wrote to memory of 2008 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe bsyhsyqsdriio.exe PID 752 wrote to memory of 2008 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe bsyhsyqsdriio.exe PID 752 wrote to memory of 2008 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe bsyhsyqsdriio.exe PID 824 wrote to memory of 320 824 tcehjetkvg.exe fypnvucx.exe PID 824 wrote to memory of 320 824 tcehjetkvg.exe fypnvucx.exe PID 824 wrote to memory of 320 824 tcehjetkvg.exe fypnvucx.exe PID 824 wrote to memory of 320 824 tcehjetkvg.exe fypnvucx.exe PID 752 wrote to memory of 280 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe WINWORD.EXE PID 752 wrote to memory of 280 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe WINWORD.EXE PID 752 wrote to memory of 280 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe WINWORD.EXE PID 752 wrote to memory of 280 752 6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe WINWORD.EXE PID 280 wrote to memory of 1624 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 1624 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 1624 280 WINWORD.EXE splwow64.exe PID 280 wrote to memory of 1624 280 WINWORD.EXE splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe"C:\Users\Admin\AppData\Local\Temp\6a667d54547ed2a293aa2b5c45871358ca306c77417247944e48aaccefbc16e5.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tcehjetkvg.exetcehjetkvg.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fypnvucx.exeC:\Windows\system32\fypnvucx.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\wqvmjvxoksatzze.exewqvmjvxoksatzze.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\fypnvucx.exefypnvucx.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\bsyhsyqsdriio.exebsyhsyqsdriio.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hidden Files and Directories
2Modify Registry
7Disabling Security Tools
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\bsyhsyqsdriio.exeFilesize
255KB
MD5e79234b07bf7aa4d10cbe9a4ee9719e6
SHA1af2d66611ee8b274ed3dd569bbad3df16af1c09b
SHA256b0ed181377feaf5fa1a5cc542d90dfe95d0e8eee9702a6a84a04514838bc36d6
SHA5127ba915b256ff4c08668367efab660bfb188b340681f73d1b3edaff314588e8814353c6470859eba57d7ee35fe15a3d0c7d35603dc6cb41341b537417fdb13be5
-
C:\Windows\SysWOW64\bsyhsyqsdriio.exeFilesize
255KB
MD5e79234b07bf7aa4d10cbe9a4ee9719e6
SHA1af2d66611ee8b274ed3dd569bbad3df16af1c09b
SHA256b0ed181377feaf5fa1a5cc542d90dfe95d0e8eee9702a6a84a04514838bc36d6
SHA5127ba915b256ff4c08668367efab660bfb188b340681f73d1b3edaff314588e8814353c6470859eba57d7ee35fe15a3d0c7d35603dc6cb41341b537417fdb13be5
-
C:\Windows\SysWOW64\fypnvucx.exeFilesize
255KB
MD53a360f081570dc9a568962662a010403
SHA17183767c64c6c808b2a7c07ea15928e88122abca
SHA256dd68fa76383be125192661495c96ae04d5ae376fb58d612aef86d22bfbd65956
SHA51274cd11ca57bfd0ec572101a2cb766c4eb66650cc8936b10e52ae94212bfdca753b3a203516858c4b54224522a177ad6d2ccd17eff193b274f167428a488a4bd3
-
C:\Windows\SysWOW64\fypnvucx.exeFilesize
255KB
MD53a360f081570dc9a568962662a010403
SHA17183767c64c6c808b2a7c07ea15928e88122abca
SHA256dd68fa76383be125192661495c96ae04d5ae376fb58d612aef86d22bfbd65956
SHA51274cd11ca57bfd0ec572101a2cb766c4eb66650cc8936b10e52ae94212bfdca753b3a203516858c4b54224522a177ad6d2ccd17eff193b274f167428a488a4bd3
-
C:\Windows\SysWOW64\fypnvucx.exeFilesize
255KB
MD53a360f081570dc9a568962662a010403
SHA17183767c64c6c808b2a7c07ea15928e88122abca
SHA256dd68fa76383be125192661495c96ae04d5ae376fb58d612aef86d22bfbd65956
SHA51274cd11ca57bfd0ec572101a2cb766c4eb66650cc8936b10e52ae94212bfdca753b3a203516858c4b54224522a177ad6d2ccd17eff193b274f167428a488a4bd3
-
C:\Windows\SysWOW64\tcehjetkvg.exeFilesize
255KB
MD54feac8ecba0f2d3014aafd9e5aa0a038
SHA16537b75599538e868fdf49fc16a47ae6a53b8b7d
SHA256d6f654193484b9d923fd27bb9ce29973f1dd755105689c27c17219d69c6638a2
SHA5122778b12c030ecd882c47fdee7048ba32377967714795805b3bba73fdd2db359fd7364ba5d6ba7ab6cfdb749f83042d632a26d14542f95f51c2922885370a8bb9
-
C:\Windows\SysWOW64\tcehjetkvg.exeFilesize
255KB
MD54feac8ecba0f2d3014aafd9e5aa0a038
SHA16537b75599538e868fdf49fc16a47ae6a53b8b7d
SHA256d6f654193484b9d923fd27bb9ce29973f1dd755105689c27c17219d69c6638a2
SHA5122778b12c030ecd882c47fdee7048ba32377967714795805b3bba73fdd2db359fd7364ba5d6ba7ab6cfdb749f83042d632a26d14542f95f51c2922885370a8bb9
-
C:\Windows\SysWOW64\wqvmjvxoksatzze.exeFilesize
255KB
MD5e4fee497bcfa9cc5e47e40210b61efdf
SHA11f89001cffe4ae8b5cb42cbbfe0e5262a29d4f15
SHA2568442cde7d72289afcf6beae1ff41fc3b1a90d7223bbc12f38f708837a79ee33f
SHA512095a631901183a2346ddf910424781424b05e16050412ce088a981049fa0aaa909ba27ba0960fd911d229306679fce1137887c3f6b45d6a41dd357fde52b2051
-
C:\Windows\SysWOW64\wqvmjvxoksatzze.exeFilesize
255KB
MD5e4fee497bcfa9cc5e47e40210b61efdf
SHA11f89001cffe4ae8b5cb42cbbfe0e5262a29d4f15
SHA2568442cde7d72289afcf6beae1ff41fc3b1a90d7223bbc12f38f708837a79ee33f
SHA512095a631901183a2346ddf910424781424b05e16050412ce088a981049fa0aaa909ba27ba0960fd911d229306679fce1137887c3f6b45d6a41dd357fde52b2051
-
C:\Windows\mydoc.rtfFilesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
\Windows\SysWOW64\bsyhsyqsdriio.exeFilesize
255KB
MD5e79234b07bf7aa4d10cbe9a4ee9719e6
SHA1af2d66611ee8b274ed3dd569bbad3df16af1c09b
SHA256b0ed181377feaf5fa1a5cc542d90dfe95d0e8eee9702a6a84a04514838bc36d6
SHA5127ba915b256ff4c08668367efab660bfb188b340681f73d1b3edaff314588e8814353c6470859eba57d7ee35fe15a3d0c7d35603dc6cb41341b537417fdb13be5
-
\Windows\SysWOW64\fypnvucx.exeFilesize
255KB
MD53a360f081570dc9a568962662a010403
SHA17183767c64c6c808b2a7c07ea15928e88122abca
SHA256dd68fa76383be125192661495c96ae04d5ae376fb58d612aef86d22bfbd65956
SHA51274cd11ca57bfd0ec572101a2cb766c4eb66650cc8936b10e52ae94212bfdca753b3a203516858c4b54224522a177ad6d2ccd17eff193b274f167428a488a4bd3
-
\Windows\SysWOW64\fypnvucx.exeFilesize
255KB
MD53a360f081570dc9a568962662a010403
SHA17183767c64c6c808b2a7c07ea15928e88122abca
SHA256dd68fa76383be125192661495c96ae04d5ae376fb58d612aef86d22bfbd65956
SHA51274cd11ca57bfd0ec572101a2cb766c4eb66650cc8936b10e52ae94212bfdca753b3a203516858c4b54224522a177ad6d2ccd17eff193b274f167428a488a4bd3
-
\Windows\SysWOW64\tcehjetkvg.exeFilesize
255KB
MD54feac8ecba0f2d3014aafd9e5aa0a038
SHA16537b75599538e868fdf49fc16a47ae6a53b8b7d
SHA256d6f654193484b9d923fd27bb9ce29973f1dd755105689c27c17219d69c6638a2
SHA5122778b12c030ecd882c47fdee7048ba32377967714795805b3bba73fdd2db359fd7364ba5d6ba7ab6cfdb749f83042d632a26d14542f95f51c2922885370a8bb9
-
\Windows\SysWOW64\wqvmjvxoksatzze.exeFilesize
255KB
MD5e4fee497bcfa9cc5e47e40210b61efdf
SHA11f89001cffe4ae8b5cb42cbbfe0e5262a29d4f15
SHA2568442cde7d72289afcf6beae1ff41fc3b1a90d7223bbc12f38f708837a79ee33f
SHA512095a631901183a2346ddf910424781424b05e16050412ce088a981049fa0aaa909ba27ba0960fd911d229306679fce1137887c3f6b45d6a41dd357fde52b2051
-
memory/280-99-0x00000000716BD000-0x00000000716C8000-memory.dmpFilesize
44KB
-
memory/280-86-0x0000000000000000-mapping.dmp
-
memory/280-102-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/280-103-0x00000000716BD000-0x00000000716C8000-memory.dmpFilesize
44KB
-
memory/280-91-0x00000000716BD000-0x00000000716C8000-memory.dmpFilesize
44KB
-
memory/280-90-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/280-89-0x00000000706D1000-0x00000000706D3000-memory.dmpFilesize
8KB
-
memory/280-88-0x0000000072C51000-0x0000000072C54000-memory.dmpFilesize
12KB
-
memory/320-85-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/320-98-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/320-77-0x0000000000000000-mapping.dmp
-
memory/752-55-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/752-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/752-87-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/752-81-0x00000000032D0000-0x0000000003370000-memory.dmpFilesize
640KB
-
memory/824-94-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/824-57-0x0000000000000000-mapping.dmp
-
memory/824-80-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/936-82-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/936-62-0x0000000000000000-mapping.dmp
-
memory/936-95-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/1624-101-0x000007FEFC161000-0x000007FEFC163000-memory.dmpFilesize
8KB
-
memory/1624-100-0x0000000000000000-mapping.dmp
-
memory/2008-97-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2008-84-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2008-71-0x0000000000000000-mapping.dmp
-
memory/2040-96-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2040-83-0x0000000000400000-0x00000000004A0000-memory.dmpFilesize
640KB
-
memory/2040-66-0x0000000000000000-mapping.dmp