dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
Size

255KB
MD5

d3fdaf5a4daec0d7a3a7f1c6594a526e
SHA1

cff0b7b0b7eba2f249828fa99e8d87a2163e67ed
SHA256

dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f
SHA512

e60560268ec55337ed71a549847b828cf426cdec578f56b8d90b3433eedd3cebb5b58e9e9f925b7c7dad0421a63b35fe07b6ac48de69ae8cfc3e31ad03efd9a8
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJR:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIg

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	quaupnuons.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	quaupnuons.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	quaupnuons.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	quaupnuons.exe

Executes dropped EXE 6 IoCs

pid	Process
1640	quaupnuons.exe
2024	vykkbegbonqysma.exe
1232	rpvxltpl.exe
1828	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
1604	rpvxltpl.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-55.dat	upx
behavioral1/files/0x000c0000000054a8-57.dat	upx
behavioral1/files/0x000b000000012315-59.dat	upx
behavioral1/files/0x000c0000000054a8-60.dat	upx
behavioral1/files/0x0009000000012326-64.dat	upx
behavioral1/files/0x0009000000012326-66.dat	upx
behavioral1/files/0x000800000001232e-68.dat	upx
behavioral1/files/0x000b000000012315-62.dat	upx
behavioral1/files/0x0009000000012326-74.dat	upx
behavioral1/files/0x000800000001232e-73.dat	upx
behavioral1/files/0x000800000001232e-71.dat	upx
behavioral1/files/0x000b000000012315-70.dat	upx
behavioral1/memory/1640-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1668-75-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1232-80-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000800000001232e-84.dat	upx
behavioral1/memory/1828-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000800000001232e-81.dat	upx
behavioral1/memory/2024-79-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0009000000012326-86.dat	upx
behavioral1/files/0x0009000000012326-88.dat	upx
behavioral1/memory/1668-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/628-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1604-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1828-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1640-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2024-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1232-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/628-105-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1604-106-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00070000000132f6-109.dat	upx
behavioral1/files/0x00070000000132f6-108.dat	upx
behavioral1/files/0x000700000001339d-110.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
272	cmd.exe
1640	quaupnuons.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	quaupnuons.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xrkeywkz = "vykkbegbonqysma.exe"	vykkbegbonqysma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "grbpicyknjqrq.exe"	vykkbegbonqysma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vykkbegbonqysma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yzhsrlzm = "quaupnuons.exe"	vykkbegbonqysma.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	rpvxltpl.exe
File opened (read-only)	\??\v:	quaupnuons.exe
File opened (read-only)	\??\q:	rpvxltpl.exe
File opened (read-only)	\??\e:	rpvxltpl.exe
File opened (read-only)	\??\b:	quaupnuons.exe
File opened (read-only)	\??\e:	quaupnuons.exe
File opened (read-only)	\??\j:	rpvxltpl.exe
File opened (read-only)	\??\o:	rpvxltpl.exe
File opened (read-only)	\??\f:	quaupnuons.exe
File opened (read-only)	\??\u:	quaupnuons.exe
File opened (read-only)	\??\x:	quaupnuons.exe
File opened (read-only)	\??\l:	rpvxltpl.exe
File opened (read-only)	\??\a:	quaupnuons.exe
File opened (read-only)	\??\g:	quaupnuons.exe
File opened (read-only)	\??\m:	quaupnuons.exe
File opened (read-only)	\??\q:	quaupnuons.exe
File opened (read-only)	\??\k:	rpvxltpl.exe
File opened (read-only)	\??\k:	rpvxltpl.exe
File opened (read-only)	\??\t:	quaupnuons.exe
File opened (read-only)	\??\a:	rpvxltpl.exe
File opened (read-only)	\??\f:	rpvxltpl.exe
File opened (read-only)	\??\m:	rpvxltpl.exe
File opened (read-only)	\??\q:	rpvxltpl.exe
File opened (read-only)	\??\n:	quaupnuons.exe
File opened (read-only)	\??\w:	rpvxltpl.exe
File opened (read-only)	\??\u:	rpvxltpl.exe
File opened (read-only)	\??\r:	quaupnuons.exe
File opened (read-only)	\??\b:	rpvxltpl.exe
File opened (read-only)	\??\g:	rpvxltpl.exe
File opened (read-only)	\??\o:	rpvxltpl.exe
File opened (read-only)	\??\h:	rpvxltpl.exe
File opened (read-only)	\??\i:	rpvxltpl.exe
File opened (read-only)	\??\b:	rpvxltpl.exe
File opened (read-only)	\??\r:	rpvxltpl.exe
File opened (read-only)	\??\s:	rpvxltpl.exe
File opened (read-only)	\??\k:	quaupnuons.exe
File opened (read-only)	\??\f:	rpvxltpl.exe
File opened (read-only)	\??\j:	rpvxltpl.exe
File opened (read-only)	\??\s:	rpvxltpl.exe
File opened (read-only)	\??\t:	rpvxltpl.exe
File opened (read-only)	\??\l:	rpvxltpl.exe
File opened (read-only)	\??\t:	rpvxltpl.exe
File opened (read-only)	\??\x:	rpvxltpl.exe
File opened (read-only)	\??\l:	quaupnuons.exe
File opened (read-only)	\??\x:	rpvxltpl.exe
File opened (read-only)	\??\w:	quaupnuons.exe
File opened (read-only)	\??\s:	quaupnuons.exe
File opened (read-only)	\??\y:	quaupnuons.exe
File opened (read-only)	\??\v:	rpvxltpl.exe
File opened (read-only)	\??\p:	rpvxltpl.exe
File opened (read-only)	\??\j:	quaupnuons.exe
File opened (read-only)	\??\p:	quaupnuons.exe
File opened (read-only)	\??\e:	rpvxltpl.exe
File opened (read-only)	\??\a:	rpvxltpl.exe
File opened (read-only)	\??\g:	rpvxltpl.exe
File opened (read-only)	\??\h:	rpvxltpl.exe
File opened (read-only)	\??\i:	rpvxltpl.exe
File opened (read-only)	\??\m:	rpvxltpl.exe
File opened (read-only)	\??\n:	rpvxltpl.exe
File opened (read-only)	\??\p:	rpvxltpl.exe
File opened (read-only)	\??\r:	rpvxltpl.exe
File opened (read-only)	\??\z:	rpvxltpl.exe
File opened (read-only)	\??\h:	quaupnuons.exe
File opened (read-only)	\??\o:	quaupnuons.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	quaupnuons.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	quaupnuons.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1640-78-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1668-75-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1232-80-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1828-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2024-79-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1668-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/628-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1604-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1828-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1640-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2024-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1232-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/628-105-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1604-106-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	quaupnuons.exe
File created	C:\Windows\SysWOW64\quaupnuons.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File opened for modification	C:\Windows\SysWOW64\quaupnuons.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File opened for modification	C:\Windows\SysWOW64\vykkbegbonqysma.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File created	C:\Windows\SysWOW64\rpvxltpl.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File created	C:\Windows\SysWOW64\grbpicyknjqrq.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File created	C:\Windows\SysWOW64\vykkbegbonqysma.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File opened for modification	C:\Windows\SysWOW64\rpvxltpl.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File opened for modification	C:\Windows\SysWOW64\grbpicyknjqrq.exe	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpvxltpl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpvxltpl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpvxltpl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	rpvxltpl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	rpvxltpl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpvxltpl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rpvxltpl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	rpvxltpl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rpvxltpl.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	quaupnuons.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C7081596DABEB9CD7FE3ED9537BC"	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1624	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
1604	rpvxltpl.exe
1604	rpvxltpl.exe
1604	rpvxltpl.exe
1604	rpvxltpl.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: SeShutdownPrivilege	1948	explorer.exe
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
628	grbpicyknjqrq.exe
1604	rpvxltpl.exe
1604	rpvxltpl.exe
1604	rpvxltpl.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
1640	quaupnuons.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
2024	vykkbegbonqysma.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1828	grbpicyknjqrq.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
1232	rpvxltpl.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe
1948	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	WINWORD.EXE
1624	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1640	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	27
PID 1668 wrote to memory of 1640	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	27
PID 1668 wrote to memory of 1640	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	27
PID 1668 wrote to memory of 1640	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	27
PID 1668 wrote to memory of 2024	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	28
PID 1668 wrote to memory of 2024	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	28
PID 1668 wrote to memory of 2024	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	28
PID 1668 wrote to memory of 2024	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	28
PID 1668 wrote to memory of 1232	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	29
PID 1668 wrote to memory of 1232	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	29
PID 1668 wrote to memory of 1232	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	29
PID 1668 wrote to memory of 1232	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	29
PID 1668 wrote to memory of 1828	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	30
PID 1668 wrote to memory of 1828	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	30
PID 1668 wrote to memory of 1828	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	30
PID 1668 wrote to memory of 1828	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	30
PID 2024 wrote to memory of 272	2024	vykkbegbonqysma.exe	31
PID 2024 wrote to memory of 272	2024	vykkbegbonqysma.exe	31
PID 2024 wrote to memory of 272	2024	vykkbegbonqysma.exe	31
PID 2024 wrote to memory of 272	2024	vykkbegbonqysma.exe	31
PID 272 wrote to memory of 628	272	cmd.exe	33
PID 272 wrote to memory of 628	272	cmd.exe	33
PID 272 wrote to memory of 628	272	cmd.exe	33
PID 272 wrote to memory of 628	272	cmd.exe	33
PID 1640 wrote to memory of 1604	1640	quaupnuons.exe	34
PID 1640 wrote to memory of 1604	1640	quaupnuons.exe	34
PID 1640 wrote to memory of 1604	1640	quaupnuons.exe	34
PID 1640 wrote to memory of 1604	1640	quaupnuons.exe	34
PID 1668 wrote to memory of 1624	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	35
PID 1668 wrote to memory of 1624	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	35
PID 1668 wrote to memory of 1624	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	35
PID 1668 wrote to memory of 1624	1668	dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe	35

C:\Users\Admin\AppData\Local\Temp\dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe
"C:\Users\Admin\AppData\Local\Temp\dd1a350da8228664bc76f3efee4cca97c4236ed6000f79179dedd524b9f2c37f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\quaupnuons.exe
  quaupnuons.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\rpvxltpl.exe
    C:\Windows\system32\rpvxltpl.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1604
- C:\Windows\SysWOW64\vykkbegbonqysma.exe
  vykkbegbonqysma.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c grbpicyknjqrq.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:272
  - - C:\Windows\SysWOW64\grbpicyknjqrq.exe
      grbpicyknjqrq.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:628
- C:\Windows\SysWOW64\rpvxltpl.exe
  rpvxltpl.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1232
- C:\Windows\SysWOW64\grbpicyknjqrq.exe
  grbpicyknjqrq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1828
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x56c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
cf32d06fcb07223b49b733aa3434123d

SHA1
70f113dbcd40ea79bb7149894d84110227ff512a

SHA256
f74e5850d4b286b839654191238cb618ea5dc5c651b87d8d6d7e2ea4cb624180

SHA512
ca9f451724bb7a62fa7b06e5af7b84a7369484f917826e4c43ec4531d31ae9abdbfef9179355dd3f087df6f2e250c2e38560827eb057c318938a52c938bd99de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
ce2b05891a8b96950dfd6beb1a4cc731

SHA1
db153762c7bf32aeebd12f5137b9fc53bddec240

SHA256
94d42feadec352e20ba85987bdb7311523398d6c94640db98b638c16d8e3dca3

SHA512
86de4fcc208a4b81f1daeff636c740c360904a2f9d84f5c812e7d7921d3bdfdfcd5d633f17b1efd68bef64de87f25ea3535731b04aecd525afd2819e6f6289a5

Download Submit
C:\Windows\SysWOW64\grbpicyknjqrq.exe

Filesize
255KB

MD5
f35ad20ac7b10dd849616a8905a614d2

SHA1
12bc1bf85a8b6baf6e5908fdac86ac6d8605a375

SHA256
204dba0263bb591447e347dc2a002919819bbedc48559113fd1a71bde2d664a1

SHA512
c1d0216ed14c9d0424661dfc38397bf89e12a732530447f0feef2805d4e6b2df97f6d4e62923e0ce700fb24a604a620b118bacf1eeff8f81afe53485eaf2d98e

Download Submit
C:\Windows\SysWOW64\grbpicyknjqrq.exe

Filesize
255KB

MD5
f35ad20ac7b10dd849616a8905a614d2

SHA1
12bc1bf85a8b6baf6e5908fdac86ac6d8605a375

SHA256
204dba0263bb591447e347dc2a002919819bbedc48559113fd1a71bde2d664a1

SHA512
c1d0216ed14c9d0424661dfc38397bf89e12a732530447f0feef2805d4e6b2df97f6d4e62923e0ce700fb24a604a620b118bacf1eeff8f81afe53485eaf2d98e

Download Submit
C:\Windows\SysWOW64\grbpicyknjqrq.exe

Filesize
255KB

MD5
f35ad20ac7b10dd849616a8905a614d2

SHA1
12bc1bf85a8b6baf6e5908fdac86ac6d8605a375

SHA256
204dba0263bb591447e347dc2a002919819bbedc48559113fd1a71bde2d664a1

SHA512
c1d0216ed14c9d0424661dfc38397bf89e12a732530447f0feef2805d4e6b2df97f6d4e62923e0ce700fb24a604a620b118bacf1eeff8f81afe53485eaf2d98e

Download Submit
C:\Windows\SysWOW64\quaupnuons.exe

Filesize
255KB

MD5
fc566c01fd93189c94d6007cbcba1dd2

SHA1
7622b14f66c37c88bf40832875357733feabe768

SHA256
56b4857acdf47ad4e393bf50f8ee73c894f94d9f1b5b376d5ea075c38a7bb0a7

SHA512
6582a4a6c4074f5a5085cfc20b76c27643af31700b58a2b890b9f030ff501af9a192b3dea42ac794c1bda8e2e61f6a38ebbfa86178576a66d9fdc608d74cf31f

Download Submit
C:\Windows\SysWOW64\quaupnuons.exe

Filesize
255KB

MD5
fc566c01fd93189c94d6007cbcba1dd2

SHA1
7622b14f66c37c88bf40832875357733feabe768

SHA256
56b4857acdf47ad4e393bf50f8ee73c894f94d9f1b5b376d5ea075c38a7bb0a7

SHA512
6582a4a6c4074f5a5085cfc20b76c27643af31700b58a2b890b9f030ff501af9a192b3dea42ac794c1bda8e2e61f6a38ebbfa86178576a66d9fdc608d74cf31f

Download Submit
C:\Windows\SysWOW64\rpvxltpl.exe

Filesize
255KB

MD5
83f481a0620d39ec72cc2d886cfff26e

SHA1
74bc4848f2301c8efc626bc90efc02813154b3ad

SHA256
07e1dbcc932f56e9946414c6c99c1458f23796f37581ec313605ca0908bf9621

SHA512
83a86f3f870df2928cd52f7ea275dd5fb7b8db8fbc90c15ba0ee0e0413c1da540b64a126e4680f40f08aee87401d13f8998284b8b7e689e6d4c5ad53e924cc5d

Download Submit
C:\Windows\SysWOW64\rpvxltpl.exe

Filesize
255KB

MD5
83f481a0620d39ec72cc2d886cfff26e

SHA1
74bc4848f2301c8efc626bc90efc02813154b3ad

SHA256
07e1dbcc932f56e9946414c6c99c1458f23796f37581ec313605ca0908bf9621

SHA512
83a86f3f870df2928cd52f7ea275dd5fb7b8db8fbc90c15ba0ee0e0413c1da540b64a126e4680f40f08aee87401d13f8998284b8b7e689e6d4c5ad53e924cc5d

Download Submit
C:\Windows\SysWOW64\rpvxltpl.exe

Filesize
255KB

MD5
83f481a0620d39ec72cc2d886cfff26e

SHA1
74bc4848f2301c8efc626bc90efc02813154b3ad

SHA256
07e1dbcc932f56e9946414c6c99c1458f23796f37581ec313605ca0908bf9621

SHA512
83a86f3f870df2928cd52f7ea275dd5fb7b8db8fbc90c15ba0ee0e0413c1da540b64a126e4680f40f08aee87401d13f8998284b8b7e689e6d4c5ad53e924cc5d

Download Submit
C:\Windows\SysWOW64\vykkbegbonqysma.exe

Filesize
255KB

MD5
60b6e051f5a3746dd55cab744e2a1f79

SHA1
bf843006a9f0400c910dc86dfcf3d84153519aa8

SHA256
cb04375182941a80685ae9e4972eb15735464576d274c966b9132c6839458ffc

SHA512
bcbf1f303fcddf62cb7a27aa605e6b5514a63332f52d2d9cc5507353e5f223dbc114ab3c0bd80eb1d474e831da79671b3d56e69ee57197c235c5ad510c1f50c7

Download Submit
C:\Windows\SysWOW64\vykkbegbonqysma.exe

Filesize
255KB

MD5
60b6e051f5a3746dd55cab744e2a1f79

SHA1
bf843006a9f0400c910dc86dfcf3d84153519aa8

SHA256
cb04375182941a80685ae9e4972eb15735464576d274c966b9132c6839458ffc

SHA512
bcbf1f303fcddf62cb7a27aa605e6b5514a63332f52d2d9cc5507353e5f223dbc114ab3c0bd80eb1d474e831da79671b3d56e69ee57197c235c5ad510c1f50c7

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
cf32d06fcb07223b49b733aa3434123d

SHA1
70f113dbcd40ea79bb7149894d84110227ff512a

SHA256
f74e5850d4b286b839654191238cb618ea5dc5c651b87d8d6d7e2ea4cb624180

SHA512
ca9f451724bb7a62fa7b06e5af7b84a7369484f917826e4c43ec4531d31ae9abdbfef9179355dd3f087df6f2e250c2e38560827eb057c318938a52c938bd99de

Download Submit
\Windows\SysWOW64\grbpicyknjqrq.exe

Filesize
255KB

MD5
f35ad20ac7b10dd849616a8905a614d2

SHA1
12bc1bf85a8b6baf6e5908fdac86ac6d8605a375

SHA256
204dba0263bb591447e347dc2a002919819bbedc48559113fd1a71bde2d664a1

SHA512
c1d0216ed14c9d0424661dfc38397bf89e12a732530447f0feef2805d4e6b2df97f6d4e62923e0ce700fb24a604a620b118bacf1eeff8f81afe53485eaf2d98e

Download Submit
\Windows\SysWOW64\grbpicyknjqrq.exe

Filesize
255KB

MD5
f35ad20ac7b10dd849616a8905a614d2

SHA1
12bc1bf85a8b6baf6e5908fdac86ac6d8605a375

SHA256
204dba0263bb591447e347dc2a002919819bbedc48559113fd1a71bde2d664a1

SHA512
c1d0216ed14c9d0424661dfc38397bf89e12a732530447f0feef2805d4e6b2df97f6d4e62923e0ce700fb24a604a620b118bacf1eeff8f81afe53485eaf2d98e

Download Submit
\Windows\SysWOW64\quaupnuons.exe

Filesize
255KB

MD5
fc566c01fd93189c94d6007cbcba1dd2

SHA1
7622b14f66c37c88bf40832875357733feabe768

SHA256
56b4857acdf47ad4e393bf50f8ee73c894f94d9f1b5b376d5ea075c38a7bb0a7

SHA512
6582a4a6c4074f5a5085cfc20b76c27643af31700b58a2b890b9f030ff501af9a192b3dea42ac794c1bda8e2e61f6a38ebbfa86178576a66d9fdc608d74cf31f

Download Submit
\Windows\SysWOW64\rpvxltpl.exe

Filesize
255KB

MD5
83f481a0620d39ec72cc2d886cfff26e

SHA1
74bc4848f2301c8efc626bc90efc02813154b3ad

SHA256
07e1dbcc932f56e9946414c6c99c1458f23796f37581ec313605ca0908bf9621

SHA512
83a86f3f870df2928cd52f7ea275dd5fb7b8db8fbc90c15ba0ee0e0413c1da540b64a126e4680f40f08aee87401d13f8998284b8b7e689e6d4c5ad53e924cc5d

Download Submit
\Windows\SysWOW64\rpvxltpl.exe

Filesize
255KB

MD5
83f481a0620d39ec72cc2d886cfff26e

SHA1
74bc4848f2301c8efc626bc90efc02813154b3ad

SHA256
07e1dbcc932f56e9946414c6c99c1458f23796f37581ec313605ca0908bf9621

SHA512
83a86f3f870df2928cd52f7ea275dd5fb7b8db8fbc90c15ba0ee0e0413c1da540b64a126e4680f40f08aee87401d13f8998284b8b7e689e6d4c5ad53e924cc5d

Download Submit
\Windows\SysWOW64\vykkbegbonqysma.exe

Filesize
255KB

MD5
60b6e051f5a3746dd55cab744e2a1f79

SHA1
bf843006a9f0400c910dc86dfcf3d84153519aa8

SHA256
cb04375182941a80685ae9e4972eb15735464576d274c966b9132c6839458ffc

SHA512
bcbf1f303fcddf62cb7a27aa605e6b5514a63332f52d2d9cc5507353e5f223dbc114ab3c0bd80eb1d474e831da79671b3d56e69ee57197c235c5ad510c1f50c7

Download Submit
memory/272-76-0x0000000000000000-mapping.dmp

Download
memory/628-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/628-83-0x0000000000000000-mapping.dmp

Download
memory/628-105-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1232-80-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1232-65-0x0000000000000000-mapping.dmp

Download
memory/1232-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1604-106-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1604-87-0x0000000000000000-mapping.dmp

Download
memory/1604-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1624-107-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

Filesize
44KB

Download
memory/1624-99-0x0000000070BDD000-0x0000000070BE8000-memory.dmp

Filesize
44KB

Download
memory/1624-90-0x0000000000000000-mapping.dmp

Download
memory/1624-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1624-92-0x0000000072171000-0x0000000072174000-memory.dmp

Filesize
12KB

Download
memory/1624-93-0x000000006FBF1000-0x000000006FBF3000-memory.dmp

Filesize
8KB

Download
memory/1640-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1640-56-0x0000000000000000-mapping.dmp

Download
memory/1640-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1668-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1668-77-0x0000000000970000-0x0000000000A10000-memory.dmp

Filesize
640KB

Download
memory/1668-75-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1828-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1828-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1828-69-0x0000000000000000-mapping.dmp

Download
memory/1948-100-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/2024-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2024-61-0x0000000000000000-mapping.dmp

Download
memory/2024-79-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download