Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 06:05
Behavioral task
behavioral1
Sample
feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe
Resource
win7-20221111-en
windows7-x64
26 signatures
150 seconds
General
-
Target
feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe
-
Size
255KB
-
MD5
c883f057fd44e432933630bfa7b16787
-
SHA1
ebc8944e4b1ca122c8bfaa0d178707675083acb8
-
SHA256
feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301
-
SHA512
981d9316665087e3f903c58565be5ba3464de5844355d8f8b068665942219a2ee78a48ff1f419f36a75c83edbba7f4d90da29c91fd24e94c9a1311905a1ec42a
-
SSDEEP
3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJz:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIw
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" fjjgvavkht.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" fjjgvavkht.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fjjgvavkht.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fjjgvavkht.exe -
Executes dropped EXE 6 IoCs
pid Process 1056 fjjgvavkht.exe 1176 xhrrcylothuvpaw.exe 1240 pvbowpqt.exe 664 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 1572 pvbowpqt.exe -
resource yara_rule behavioral1/memory/1992-55-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x000b00000001231b-56.dat upx behavioral1/files/0x000b00000001231b-58.dat upx behavioral1/files/0x000b00000001231b-60.dat upx behavioral1/files/0x000a000000012326-61.dat upx behavioral1/files/0x000a000000012326-63.dat upx behavioral1/files/0x001a00000001249b-64.dat upx behavioral1/files/0x001a00000001249b-67.dat upx behavioral1/files/0x000a000000012326-69.dat upx behavioral1/files/0x001a00000001249b-70.dat upx behavioral1/files/0x0007000000012696-71.dat upx behavioral1/files/0x0007000000012696-73.dat upx behavioral1/files/0x0007000000012696-76.dat upx behavioral1/files/0x0007000000012696-77.dat upx behavioral1/files/0x0007000000012696-79.dat upx behavioral1/files/0x001a00000001249b-81.dat upx behavioral1/files/0x001a00000001249b-83.dat upx behavioral1/memory/1056-85-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-87-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1240-88-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/664-89-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/552-90-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1572-91-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1992-93-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1056-96-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1176-97-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/552-100-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/664-99-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1240-98-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/memory/1572-101-0x0000000000400000-0x00000000004A0000-memory.dmp upx behavioral1/files/0x0007000000013a04-108.dat upx behavioral1/files/0x0007000000013a0c-109.dat upx behavioral1/files/0x0007000000013a20-110.dat upx behavioral1/files/0x0007000000013a4d-111.dat upx behavioral1/files/0x0006000000014138-112.dat upx behavioral1/files/0x0006000000014150-113.dat upx -
Loads dropped DLL 6 IoCs
pid Process 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1276 cmd.exe 1056 fjjgvavkht.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" fjjgvavkht.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run xhrrcylothuvpaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dvywlrqc = "fjjgvavkht.exe" xhrrcylothuvpaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vwpucreh = "xhrrcylothuvpaw.exe" xhrrcylothuvpaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cctlcrjxbtsgh.exe" xhrrcylothuvpaw.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\z: fjjgvavkht.exe File opened (read-only) \??\b: pvbowpqt.exe File opened (read-only) \??\i: fjjgvavkht.exe File opened (read-only) \??\n: fjjgvavkht.exe File opened (read-only) \??\n: pvbowpqt.exe File opened (read-only) \??\y: pvbowpqt.exe File opened (read-only) \??\y: fjjgvavkht.exe File opened (read-only) \??\i: pvbowpqt.exe File opened (read-only) \??\j: pvbowpqt.exe File opened (read-only) \??\q: pvbowpqt.exe File opened (read-only) \??\g: pvbowpqt.exe File opened (read-only) \??\k: pvbowpqt.exe File opened (read-only) \??\u: fjjgvavkht.exe File opened (read-only) \??\w: pvbowpqt.exe File opened (read-only) \??\g: fjjgvavkht.exe File opened (read-only) \??\m: pvbowpqt.exe File opened (read-only) \??\x: pvbowpqt.exe File opened (read-only) \??\m: fjjgvavkht.exe File opened (read-only) \??\t: fjjgvavkht.exe File opened (read-only) \??\x: pvbowpqt.exe File opened (read-only) \??\y: pvbowpqt.exe File opened (read-only) \??\e: fjjgvavkht.exe File opened (read-only) \??\f: fjjgvavkht.exe File opened (read-only) \??\k: pvbowpqt.exe File opened (read-only) \??\s: pvbowpqt.exe File opened (read-only) \??\j: fjjgvavkht.exe File opened (read-only) \??\e: pvbowpqt.exe File opened (read-only) \??\b: fjjgvavkht.exe File opened (read-only) \??\t: pvbowpqt.exe File opened (read-only) \??\v: pvbowpqt.exe File opened (read-only) \??\e: pvbowpqt.exe File opened (read-only) \??\m: pvbowpqt.exe File opened (read-only) \??\o: fjjgvavkht.exe File opened (read-only) \??\h: pvbowpqt.exe File opened (read-only) \??\w: pvbowpqt.exe File opened (read-only) \??\a: pvbowpqt.exe File opened (read-only) \??\f: pvbowpqt.exe File opened (read-only) \??\q: fjjgvavkht.exe File opened (read-only) \??\x: fjjgvavkht.exe File opened (read-only) \??\b: pvbowpqt.exe File opened (read-only) \??\k: fjjgvavkht.exe File opened (read-only) \??\o: pvbowpqt.exe File opened (read-only) \??\a: pvbowpqt.exe File opened (read-only) \??\f: pvbowpqt.exe File opened (read-only) \??\p: pvbowpqt.exe File opened (read-only) \??\i: pvbowpqt.exe File opened (read-only) \??\o: pvbowpqt.exe File opened (read-only) \??\z: pvbowpqt.exe File opened (read-only) \??\p: fjjgvavkht.exe File opened (read-only) \??\p: pvbowpqt.exe File opened (read-only) \??\l: pvbowpqt.exe File opened (read-only) \??\u: pvbowpqt.exe File opened (read-only) \??\l: pvbowpqt.exe File opened (read-only) \??\z: pvbowpqt.exe File opened (read-only) \??\r: pvbowpqt.exe File opened (read-only) \??\v: pvbowpqt.exe File opened (read-only) \??\l: fjjgvavkht.exe File opened (read-only) \??\w: fjjgvavkht.exe File opened (read-only) \??\g: pvbowpqt.exe File opened (read-only) \??\u: pvbowpqt.exe File opened (read-only) \??\j: pvbowpqt.exe File opened (read-only) \??\a: fjjgvavkht.exe File opened (read-only) \??\t: pvbowpqt.exe File opened (read-only) \??\h: fjjgvavkht.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" fjjgvavkht.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" fjjgvavkht.exe -
AutoIT Executable 14 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1992-55-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1056-85-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-87-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1240-88-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/664-89-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/552-90-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1572-91-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1992-93-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1056-96-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1176-97-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/552-100-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/664-99-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1240-98-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe behavioral1/memory/1572-101-0x0000000000400000-0x00000000004A0000-memory.dmp autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\xhrrcylothuvpaw.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\pvbowpqt.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll fjjgvavkht.exe File opened for modification C:\Windows\SysWOW64\cctlcrjxbtsgh.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\fjjgvavkht.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\SysWOW64\fjjgvavkht.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\xhrrcylothuvpaw.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\SysWOW64\pvbowpqt.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File created C:\Windows\SysWOW64\cctlcrjxbtsgh.exe feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pvbowpqt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal pvbowpqt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal pvbowpqt.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pvbowpqt.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pvbowpqt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe pvbowpqt.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe pvbowpqt.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\~$mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193DC70F14E2DBBEB8BE7FE6EDE234BA" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" fjjgvavkht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf fjjgvavkht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" fjjgvavkht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C0D9C2383586D4376D177202CAE7D8665DD" feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc fjjgvavkht.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat fjjgvavkht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" fjjgvavkht.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh fjjgvavkht.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1624 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 1176 xhrrcylothuvpaw.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 1176 xhrrcylothuvpaw.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 1176 xhrrcylothuvpaw.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 1176 xhrrcylothuvpaw.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 1176 xhrrcylothuvpaw.exe 552 cctlcrjxbtsgh.exe -
Suspicious use of FindShellTrayWindow 21 IoCs
pid Process 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe -
Suspicious use of SendNotifyMessage 21 IoCs
pid Process 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1056 fjjgvavkht.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1176 xhrrcylothuvpaw.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 1240 pvbowpqt.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 664 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 552 cctlcrjxbtsgh.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe 1572 pvbowpqt.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1624 WINWORD.EXE 1624 WINWORD.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1056 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 28 PID 1992 wrote to memory of 1056 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 28 PID 1992 wrote to memory of 1056 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 28 PID 1992 wrote to memory of 1056 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 28 PID 1992 wrote to memory of 1176 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 29 PID 1992 wrote to memory of 1176 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 29 PID 1992 wrote to memory of 1176 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 29 PID 1992 wrote to memory of 1176 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 29 PID 1992 wrote to memory of 1240 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 30 PID 1992 wrote to memory of 1240 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 30 PID 1992 wrote to memory of 1240 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 30 PID 1992 wrote to memory of 1240 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 30 PID 1992 wrote to memory of 664 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 31 PID 1992 wrote to memory of 664 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 31 PID 1992 wrote to memory of 664 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 31 PID 1992 wrote to memory of 664 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 31 PID 1176 wrote to memory of 1276 1176 xhrrcylothuvpaw.exe 32 PID 1176 wrote to memory of 1276 1176 xhrrcylothuvpaw.exe 32 PID 1176 wrote to memory of 1276 1176 xhrrcylothuvpaw.exe 32 PID 1176 wrote to memory of 1276 1176 xhrrcylothuvpaw.exe 32 PID 1276 wrote to memory of 552 1276 cmd.exe 34 PID 1276 wrote to memory of 552 1276 cmd.exe 34 PID 1276 wrote to memory of 552 1276 cmd.exe 34 PID 1276 wrote to memory of 552 1276 cmd.exe 34 PID 1056 wrote to memory of 1572 1056 fjjgvavkht.exe 35 PID 1056 wrote to memory of 1572 1056 fjjgvavkht.exe 35 PID 1056 wrote to memory of 1572 1056 fjjgvavkht.exe 35 PID 1056 wrote to memory of 1572 1056 fjjgvavkht.exe 35 PID 1992 wrote to memory of 1624 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 36 PID 1992 wrote to memory of 1624 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 36 PID 1992 wrote to memory of 1624 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 36 PID 1992 wrote to memory of 1624 1992 feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe 36 PID 1624 wrote to memory of 1816 1624 WINWORD.EXE 40 PID 1624 wrote to memory of 1816 1624 WINWORD.EXE 40 PID 1624 wrote to memory of 1816 1624 WINWORD.EXE 40 PID 1624 wrote to memory of 1816 1624 WINWORD.EXE 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe"C:\Users\Admin\AppData\Local\Temp\feb46b7a9db8e5dba46df813eab4328f07d19c9922b352aab4e9fac1e88c0301.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\fjjgvavkht.exefjjgvavkht.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\pvbowpqt.exeC:\Windows\system32\pvbowpqt.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1572
-
-
-
C:\Windows\SysWOW64\xhrrcylothuvpaw.exexhrrcylothuvpaw.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\cmd.execmd.exe /c cctlcrjxbtsgh.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\cctlcrjxbtsgh.execctlcrjxbtsgh.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:552
-
-
-
-
C:\Windows\SysWOW64\pvbowpqt.exepvbowpqt.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1240
-
-
C:\Windows\SysWOW64\cctlcrjxbtsgh.execctlcrjxbtsgh.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:664
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1816
-
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD5cc6b9e3dc2d514ca938bc79b0cf9c92c
SHA16219c96c1aed08af577f494b0dce5612bb337a83
SHA25655b3bacdc6d167665154b25baba1a3d8942f67251d61407f7d10812d83781b02
SHA51208cf36d880e7c8926319b0e53d21465ca2f8a56df82a9098a5daf5aeae9c5c60fbcdac298a9b91ae12a31081536e558c5dde2f07e70b06dacb2ae04d41f8a83a
-
Filesize
255KB
MD5b52e64b8c6abf202a1d2f1449b9b35e2
SHA1d61ba6f3f163a60cf11bfaa7b1534b64692aa271
SHA2561f73494fd181af678d80c7a941b8c766f90df638704bce23b8fdffd17c1e250c
SHA512e4f28ce39ffbc4c8b283ff52af1ba3a4ad77e89c60956c8adb37af8bd0b723ddee6762bdfa305a6fab9b91f6246c3ddacf483c322513ee210af5d4c917be0029
-
Filesize
255KB
MD5eec1f44976ed9aa2126d483a996126bf
SHA172a31e1069dc99d4c454a7e9699de29fa3b90b69
SHA2564a1ec7a377e76f72662e7675bc0b0ae1a9c8b824618fa39bbad3b5015c1c5a3f
SHA51276a13b02a59be676b77ace715de9bbbb1fe8886c21f795334e0a12d90833cc22f64dceb2b5adbad31401e4d8fb7ac295b27dab64b7d68d8e48d045bf50cbdebe
-
Filesize
255KB
MD54e60af5a4b8dda7910e8446b203a10c3
SHA1f25d0cd83eaaab68c88b0dcf7965580b9868d907
SHA2567975ff8e7ab5d2218603ef70bd8f0b20c5bc97b88141650bcdba2707f413b881
SHA51244a124ec12a9e0089b008972af4641f2dd926937796c9692dead74a85c112ef3fd7716cac2b2a907cbfa5401d5274262319ee1056dc768f8326875b5d97c1787
-
Filesize
255KB
MD5bf9a076f69cf8836522f1c15e5ad6f53
SHA1f326e7427544340f663ce99b866484f844dac0ca
SHA256dda3b1faa6e04e25827f4ea88d4fb73e166e72f89310a8724a25e67c3d4fb03c
SHA512cc17640e10089b84255e157466cfda43d641dafd8fd708e21c8598c430d52ff0ba8846776ec70d444b1b43e802576870f8c4c4f20e443446451de80272776865
-
Filesize
255KB
MD5fed85d4d0fa276d6d2882cbbfa875e4a
SHA1e320a17a78936054e2dfe682303f636c4b5eb60e
SHA25679508caa7e7f506c6123395a316b9c43fd5bb0f08e48b159a4388bce7288679e
SHA512fde21255dd93a6fba4afa1a1b8b50aa7981d2fcb4e52d648fbc19ca7ddb2a3488050f5e618e4af91bb94d876b576ee182809bdc321edd199d257a558288118de
-
Filesize
255KB
MD5fed85d4d0fa276d6d2882cbbfa875e4a
SHA1e320a17a78936054e2dfe682303f636c4b5eb60e
SHA25679508caa7e7f506c6123395a316b9c43fd5bb0f08e48b159a4388bce7288679e
SHA512fde21255dd93a6fba4afa1a1b8b50aa7981d2fcb4e52d648fbc19ca7ddb2a3488050f5e618e4af91bb94d876b576ee182809bdc321edd199d257a558288118de
-
Filesize
255KB
MD5fed85d4d0fa276d6d2882cbbfa875e4a
SHA1e320a17a78936054e2dfe682303f636c4b5eb60e
SHA25679508caa7e7f506c6123395a316b9c43fd5bb0f08e48b159a4388bce7288679e
SHA512fde21255dd93a6fba4afa1a1b8b50aa7981d2fcb4e52d648fbc19ca7ddb2a3488050f5e618e4af91bb94d876b576ee182809bdc321edd199d257a558288118de
-
Filesize
255KB
MD5ce3d3a2ea8bd5d6471fddf159ea2d2da
SHA1b50d6dad449c08eea0790e39d3a2e421e70e3a22
SHA25681d18c0f5168f8521eb8f5b9508ae0928283fd82819df61618d569d043f5cc80
SHA51280d3d8cb06bebd67e25e20cb1a32cfa6c55f9962976ed96d556e42593f2808af6b139b0ab832eda192b2c424aa2886d6f1cc5ec2b8248849d8af53880042812d
-
Filesize
255KB
MD5ce3d3a2ea8bd5d6471fddf159ea2d2da
SHA1b50d6dad449c08eea0790e39d3a2e421e70e3a22
SHA25681d18c0f5168f8521eb8f5b9508ae0928283fd82819df61618d569d043f5cc80
SHA51280d3d8cb06bebd67e25e20cb1a32cfa6c55f9962976ed96d556e42593f2808af6b139b0ab832eda192b2c424aa2886d6f1cc5ec2b8248849d8af53880042812d
-
Filesize
255KB
MD55d7b1ad5fd0f13ea91ff1e4a1bfb4e2e
SHA13ffdb3884fc3654682c7bd5d44deb74161969bcc
SHA256e6e7aa8a285998593deb544e517ec5ee70bb885a64e2e2c0139892694aaf38e1
SHA5125beacf8d3c5225772e5e9b99eac6555345ce5217711f67ed45262d7c3e3cc554adf23d719e93e4ca6b2909a4b5516184570addcc8edb83c52495914fe0a35ef8
-
Filesize
255KB
MD55d7b1ad5fd0f13ea91ff1e4a1bfb4e2e
SHA13ffdb3884fc3654682c7bd5d44deb74161969bcc
SHA256e6e7aa8a285998593deb544e517ec5ee70bb885a64e2e2c0139892694aaf38e1
SHA5125beacf8d3c5225772e5e9b99eac6555345ce5217711f67ed45262d7c3e3cc554adf23d719e93e4ca6b2909a4b5516184570addcc8edb83c52495914fe0a35ef8
-
Filesize
255KB
MD55d7b1ad5fd0f13ea91ff1e4a1bfb4e2e
SHA13ffdb3884fc3654682c7bd5d44deb74161969bcc
SHA256e6e7aa8a285998593deb544e517ec5ee70bb885a64e2e2c0139892694aaf38e1
SHA5125beacf8d3c5225772e5e9b99eac6555345ce5217711f67ed45262d7c3e3cc554adf23d719e93e4ca6b2909a4b5516184570addcc8edb83c52495914fe0a35ef8
-
Filesize
255KB
MD55f77820edf7c518b6ef7377e062c1271
SHA18dc96cd573321834800aeef8ee4fabd5f0f1eeec
SHA256adeeb8f7dd1ee73ea8c91153f1c1d9112823c8da1dbae9b2ff84f1af27563cf3
SHA51204af61c5fb09fd712291e30e95a17e39a778d54d7740e4423fa7a739e19ff57a6956c4e89fcd26cf18cb55c3ff82c8436254d9afd9962b1bc359919f7841d721
-
Filesize
255KB
MD55f77820edf7c518b6ef7377e062c1271
SHA18dc96cd573321834800aeef8ee4fabd5f0f1eeec
SHA256adeeb8f7dd1ee73ea8c91153f1c1d9112823c8da1dbae9b2ff84f1af27563cf3
SHA51204af61c5fb09fd712291e30e95a17e39a778d54d7740e4423fa7a739e19ff57a6956c4e89fcd26cf18cb55c3ff82c8436254d9afd9962b1bc359919f7841d721
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
255KB
MD504e21ad76f3f2b82b11993607f41868a
SHA1f78ad6ec55ac81e84a2c7a2c372cf6a53b096586
SHA256603a3298523daad6595773fe9269094e98b8da00629955cad80021c1281a1118
SHA51265e4a512c317bbc20429e2c0481690fce9664b2456c7d74b7a9851010e740f2b9d0ef07f46a940f62dc27a2e968a4426caa48d91171c2afaa024a001d096528e
-
Filesize
255KB
MD5fed85d4d0fa276d6d2882cbbfa875e4a
SHA1e320a17a78936054e2dfe682303f636c4b5eb60e
SHA25679508caa7e7f506c6123395a316b9c43fd5bb0f08e48b159a4388bce7288679e
SHA512fde21255dd93a6fba4afa1a1b8b50aa7981d2fcb4e52d648fbc19ca7ddb2a3488050f5e618e4af91bb94d876b576ee182809bdc321edd199d257a558288118de
-
Filesize
255KB
MD5fed85d4d0fa276d6d2882cbbfa875e4a
SHA1e320a17a78936054e2dfe682303f636c4b5eb60e
SHA25679508caa7e7f506c6123395a316b9c43fd5bb0f08e48b159a4388bce7288679e
SHA512fde21255dd93a6fba4afa1a1b8b50aa7981d2fcb4e52d648fbc19ca7ddb2a3488050f5e618e4af91bb94d876b576ee182809bdc321edd199d257a558288118de
-
Filesize
255KB
MD5ce3d3a2ea8bd5d6471fddf159ea2d2da
SHA1b50d6dad449c08eea0790e39d3a2e421e70e3a22
SHA25681d18c0f5168f8521eb8f5b9508ae0928283fd82819df61618d569d043f5cc80
SHA51280d3d8cb06bebd67e25e20cb1a32cfa6c55f9962976ed96d556e42593f2808af6b139b0ab832eda192b2c424aa2886d6f1cc5ec2b8248849d8af53880042812d
-
Filesize
255KB
MD55d7b1ad5fd0f13ea91ff1e4a1bfb4e2e
SHA13ffdb3884fc3654682c7bd5d44deb74161969bcc
SHA256e6e7aa8a285998593deb544e517ec5ee70bb885a64e2e2c0139892694aaf38e1
SHA5125beacf8d3c5225772e5e9b99eac6555345ce5217711f67ed45262d7c3e3cc554adf23d719e93e4ca6b2909a4b5516184570addcc8edb83c52495914fe0a35ef8
-
Filesize
255KB
MD55d7b1ad5fd0f13ea91ff1e4a1bfb4e2e
SHA13ffdb3884fc3654682c7bd5d44deb74161969bcc
SHA256e6e7aa8a285998593deb544e517ec5ee70bb885a64e2e2c0139892694aaf38e1
SHA5125beacf8d3c5225772e5e9b99eac6555345ce5217711f67ed45262d7c3e3cc554adf23d719e93e4ca6b2909a4b5516184570addcc8edb83c52495914fe0a35ef8
-
Filesize
255KB
MD55f77820edf7c518b6ef7377e062c1271
SHA18dc96cd573321834800aeef8ee4fabd5f0f1eeec
SHA256adeeb8f7dd1ee73ea8c91153f1c1d9112823c8da1dbae9b2ff84f1af27563cf3
SHA51204af61c5fb09fd712291e30e95a17e39a778d54d7740e4423fa7a739e19ff57a6956c4e89fcd26cf18cb55c3ff82c8436254d9afd9962b1bc359919f7841d721