d26596eaf05f5aae4292ac12d822047e5c9d19ebbafe0b9a46faf5b5b1a4209b

Analysis

max time kernel
152s
max time network
65s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38b36f71998c3391faa39cbcfc7a173d.exe
Size

512KB
MD5

38b36f71998c3391faa39cbcfc7a173d
SHA1

3e0f1cd2a65e69614abd0da404e8e4b99a2249ac
SHA256

d26596eaf05f5aae4292ac12d822047e5c9d19ebbafe0b9a46faf5b5b1a4209b
SHA512

3d6c8780f7d8f264323417bbadfb0d774f93fcc6a78c3e9d08bb69d4fc265fd80fe540881180f86ec63ddfaf62c2a20b25947d25faee0fb7c5681f15344a6c1b
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5/

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	exuerppnfx.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	exuerppnfx.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	exuerppnfx.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	exuerppnfx.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
628	exuerppnfx.exe
2796	yzbdqouegnluehr.exe
1028	xmeqxjtv.exe
2596	fumbworqftupr.exe
2244	xmeqxjtv.exe

Loads dropped DLL 5 IoCs

pid	Process
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
628	exuerppnfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	exuerppnfx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbhrsjlj = "yzbdqouegnluehr.exe"	yzbdqouegnluehr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fumbworqftupr.exe"	yzbdqouegnluehr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mupfkwwm = "exuerppnfx.exe"	yzbdqouegnluehr.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	xmeqxjtv.exe
File opened (read-only)	\??\q:	xmeqxjtv.exe
File opened (read-only)	\??\p:	xmeqxjtv.exe
File opened (read-only)	\??\l:	xmeqxjtv.exe
File opened (read-only)	\??\m:	xmeqxjtv.exe
File opened (read-only)	\??\y:	xmeqxjtv.exe
File opened (read-only)	\??\p:	exuerppnfx.exe
File opened (read-only)	\??\q:	exuerppnfx.exe
File opened (read-only)	\??\w:	exuerppnfx.exe
File opened (read-only)	\??\b:	xmeqxjtv.exe
File opened (read-only)	\??\u:	xmeqxjtv.exe
File opened (read-only)	\??\j:	xmeqxjtv.exe
File opened (read-only)	\??\e:	exuerppnfx.exe
File opened (read-only)	\??\k:	exuerppnfx.exe
File opened (read-only)	\??\y:	exuerppnfx.exe
File opened (read-only)	\??\r:	xmeqxjtv.exe
File opened (read-only)	\??\z:	xmeqxjtv.exe
File opened (read-only)	\??\n:	xmeqxjtv.exe
File opened (read-only)	\??\l:	exuerppnfx.exe
File opened (read-only)	\??\n:	exuerppnfx.exe
File opened (read-only)	\??\h:	xmeqxjtv.exe
File opened (read-only)	\??\s:	xmeqxjtv.exe
File opened (read-only)	\??\r:	exuerppnfx.exe
File opened (read-only)	\??\a:	xmeqxjtv.exe
File opened (read-only)	\??\o:	xmeqxjtv.exe
File opened (read-only)	\??\o:	xmeqxjtv.exe
File opened (read-only)	\??\s:	xmeqxjtv.exe
File opened (read-only)	\??\z:	xmeqxjtv.exe
File opened (read-only)	\??\s:	exuerppnfx.exe
File opened (read-only)	\??\m:	xmeqxjtv.exe
File opened (read-only)	\??\g:	xmeqxjtv.exe
File opened (read-only)	\??\k:	xmeqxjtv.exe
File opened (read-only)	\??\a:	exuerppnfx.exe
File opened (read-only)	\??\m:	exuerppnfx.exe
File opened (read-only)	\??\z:	exuerppnfx.exe
File opened (read-only)	\??\j:	xmeqxjtv.exe
File opened (read-only)	\??\j:	exuerppnfx.exe
File opened (read-only)	\??\e:	xmeqxjtv.exe
File opened (read-only)	\??\i:	exuerppnfx.exe
File opened (read-only)	\??\i:	xmeqxjtv.exe
File opened (read-only)	\??\y:	xmeqxjtv.exe
File opened (read-only)	\??\v:	xmeqxjtv.exe
File opened (read-only)	\??\b:	exuerppnfx.exe
File opened (read-only)	\??\g:	xmeqxjtv.exe
File opened (read-only)	\??\k:	xmeqxjtv.exe
File opened (read-only)	\??\e:	xmeqxjtv.exe
File opened (read-only)	\??\l:	xmeqxjtv.exe
File opened (read-only)	\??\x:	xmeqxjtv.exe
File opened (read-only)	\??\t:	xmeqxjtv.exe
File opened (read-only)	\??\a:	xmeqxjtv.exe
File opened (read-only)	\??\x:	xmeqxjtv.exe
File opened (read-only)	\??\v:	exuerppnfx.exe
File opened (read-only)	\??\v:	xmeqxjtv.exe
File opened (read-only)	\??\h:	xmeqxjtv.exe
File opened (read-only)	\??\p:	xmeqxjtv.exe
File opened (read-only)	\??\r:	xmeqxjtv.exe
File opened (read-only)	\??\h:	exuerppnfx.exe
File opened (read-only)	\??\o:	exuerppnfx.exe
File opened (read-only)	\??\q:	xmeqxjtv.exe
File opened (read-only)	\??\i:	xmeqxjtv.exe
File opened (read-only)	\??\b:	xmeqxjtv.exe
File opened (read-only)	\??\u:	xmeqxjtv.exe
File opened (read-only)	\??\w:	xmeqxjtv.exe
File opened (read-only)	\??\g:	exuerppnfx.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	exuerppnfx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	exuerppnfx.exe

AutoIT Executable 21 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0030000000016ced-5.dat	autoit_exe
behavioral1/files/0x0008000000012281-20.dat	autoit_exe
behavioral1/files/0x0008000000012281-24.dat	autoit_exe
behavioral1/files/0x0030000000016ced-22.dat	autoit_exe
behavioral1/files/0x0008000000012281-17.dat	autoit_exe
behavioral1/files/0x0030000000016ced-26.dat	autoit_exe
behavioral1/files/0x0030000000016ced-28.dat	autoit_exe
behavioral1/files/0x0007000000016d52-32.dat	autoit_exe
behavioral1/files/0x0007000000016d5b-33.dat	autoit_exe
behavioral1/files/0x0007000000016d52-29.dat	autoit_exe
behavioral1/files/0x0007000000016d5b-38.dat	autoit_exe
behavioral1/files/0x0007000000016d52-42.dat	autoit_exe
behavioral1/files/0x0007000000016d52-43.dat	autoit_exe
behavioral1/files/0x0007000000016d52-41.dat	autoit_exe
behavioral1/files/0x0007000000016d5b-40.dat	autoit_exe
behavioral1/files/0x000500000001948b-73.dat	autoit_exe
behavioral1/files/0x0005000000019493-86.dat	autoit_exe
behavioral1/files/0x000500000001948f-82.dat	autoit_exe
behavioral1/files/0x000500000001948c-78.dat	autoit_exe
behavioral1/files/0x000500000001948c-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\exuerppnfx.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File opened for modification	C:\Windows\SysWOW64\exuerppnfx.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File created	C:\Windows\SysWOW64\yzbdqouegnluehr.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File opened for modification	C:\Windows\SysWOW64\yzbdqouegnluehr.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File created	C:\Windows\SysWOW64\xmeqxjtv.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File opened for modification	C:\Windows\SysWOW64\xmeqxjtv.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File created	C:\Windows\SysWOW64\fumbworqftupr.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File opened for modification	C:\Windows\SysWOW64\fumbworqftupr.exe	38b36f71998c3391faa39cbcfc7a173d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	exuerppnfx.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xmeqxjtv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xmeqxjtv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xmeqxjtv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xmeqxjtv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xmeqxjtv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xmeqxjtv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xmeqxjtv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	38b36f71998c3391faa39cbcfc7a173d.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	exuerppnfx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	exuerppnfx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33462D0B9D2C83236D3E77D077262CA97DF165A8"	38b36f71998c3391faa39cbcfc7a173d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	exuerppnfx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B15C479238E352BDBAA733EAD4B9"	38b36f71998c3391faa39cbcfc7a173d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	exuerppnfx.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1480	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2244	xmeqxjtv.exe
2244	xmeqxjtv.exe
2244	xmeqxjtv.exe
2244	xmeqxjtv.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2796	yzbdqouegnluehr.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	1824	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	988	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe
Token: SeShutdownPrivilege	2076	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
2244	xmeqxjtv.exe
2244	xmeqxjtv.exe
2244	xmeqxjtv.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
1480	WINWORD.EXE
1480	WINWORD.EXE
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
2308	38b36f71998c3391faa39cbcfc7a173d.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
628	exuerppnfx.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2796	yzbdqouegnluehr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
2596	fumbworqftupr.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
1028	xmeqxjtv.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
1824	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe
988	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1480	WINWORD.EXE
1480	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 628	2308	38b36f71998c3391faa39cbcfc7a173d.exe	32
PID 2308 wrote to memory of 628	2308	38b36f71998c3391faa39cbcfc7a173d.exe	32
PID 2308 wrote to memory of 628	2308	38b36f71998c3391faa39cbcfc7a173d.exe	32
PID 2308 wrote to memory of 628	2308	38b36f71998c3391faa39cbcfc7a173d.exe	32
PID 2308 wrote to memory of 2796	2308	38b36f71998c3391faa39cbcfc7a173d.exe	30
PID 2308 wrote to memory of 2796	2308	38b36f71998c3391faa39cbcfc7a173d.exe	30
PID 2308 wrote to memory of 2796	2308	38b36f71998c3391faa39cbcfc7a173d.exe	30
PID 2308 wrote to memory of 2796	2308	38b36f71998c3391faa39cbcfc7a173d.exe	30
PID 2308 wrote to memory of 1028	2308	38b36f71998c3391faa39cbcfc7a173d.exe	31
PID 2308 wrote to memory of 1028	2308	38b36f71998c3391faa39cbcfc7a173d.exe	31
PID 2308 wrote to memory of 1028	2308	38b36f71998c3391faa39cbcfc7a173d.exe	31
PID 2308 wrote to memory of 1028	2308	38b36f71998c3391faa39cbcfc7a173d.exe	31
PID 2308 wrote to memory of 2596	2308	38b36f71998c3391faa39cbcfc7a173d.exe	34
PID 2308 wrote to memory of 2596	2308	38b36f71998c3391faa39cbcfc7a173d.exe	34
PID 2308 wrote to memory of 2596	2308	38b36f71998c3391faa39cbcfc7a173d.exe	34
PID 2308 wrote to memory of 2596	2308	38b36f71998c3391faa39cbcfc7a173d.exe	34
PID 628 wrote to memory of 2244	628	exuerppnfx.exe	33
PID 628 wrote to memory of 2244	628	exuerppnfx.exe	33
PID 628 wrote to memory of 2244	628	exuerppnfx.exe	33
PID 628 wrote to memory of 2244	628	exuerppnfx.exe	33
PID 2308 wrote to memory of 1480	2308	38b36f71998c3391faa39cbcfc7a173d.exe	35
PID 2308 wrote to memory of 1480	2308	38b36f71998c3391faa39cbcfc7a173d.exe	35
PID 2308 wrote to memory of 1480	2308	38b36f71998c3391faa39cbcfc7a173d.exe	35
PID 2308 wrote to memory of 1480	2308	38b36f71998c3391faa39cbcfc7a173d.exe	35
PID 1480 wrote to memory of 1804	1480	WINWORD.EXE	42
PID 1480 wrote to memory of 1804	1480	WINWORD.EXE	42
PID 1480 wrote to memory of 1804	1480	WINWORD.EXE	42
PID 1480 wrote to memory of 1804	1480	WINWORD.EXE	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\38b36f71998c3391faa39cbcfc7a173d.exe
"C:\Users\Admin\AppData\Local\Temp\38b36f71998c3391faa39cbcfc7a173d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\yzbdqouegnluehr.exe
  yzbdqouegnluehr.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2796
- C:\Windows\SysWOW64\xmeqxjtv.exe
  xmeqxjtv.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1028
- C:\Windows\SysWOW64\exuerppnfx.exe
  exuerppnfx.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\xmeqxjtv.exe
    C:\Windows\system32\xmeqxjtv.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2244
- C:\Windows\SysWOW64\fumbworqftupr.exe
  fumbworqftupr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1804

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:988

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
81KB

MD5
125ec77e3c16edc320848a83fc2cd3ae

SHA1
0dc64ec7dc37cf1d258b57e97f1a9d1856be6068

SHA256
91f131ca1ad349e11f78d9c0c4022778331ea0734e9d8e4354029b2a178f16ca

SHA512
f004e4b4fd9385d963d023e44e92ab4b2e5bdd709a77ab8b8852a5d12f2162b60da5a66563419e322a920d59551c76ecbaef561512933e278000ccd669e7a218

Download Submit
C:\Users\Admin\Desktop\DismountEnter.doc.exe

Filesize
77KB

MD5
6fa337f9d5ccd38751193ba5defd8727

SHA1
3beccac5ae9fec231414b7694b9ada3376d9ed6c

SHA256
bc33b8329fdde6e1969cd8aa752ff0a45a17d01e9e95bd8bc5c6ffe412013533

SHA512
96ed4d7b5c5f98492aebc7fd84e36d4acb254ef27a9daa3ef6a04171d2528f87c89e8b6ed09c370567d4556a2ccc9ecebf3d25a85d190023d2dd7b7590f94232

Download Submit
C:\Users\Admin\Desktop\DismountEnter.doc.exe

Filesize
102KB

MD5
b65b87931f3e926aaac417b9c253be89

SHA1
5055a32d3532002dab7f81b86330c6c735a1f229

SHA256
fca5c656163c23bb213c4eb935ed99b088ad1561d66a82670ffbbd25f5375425

SHA512
2e9d66ab741ee005ce96658fd5923061aba34347c98c255e882c9500e103ab58262f914c3ce321cb6b37618dd658d459bfad25ec44b80998b3f803b700ac3022

Download Submit
C:\Users\Admin\Documents\CompleteFind.doc.exe

Filesize
91KB

MD5
6a0bc3823ed40139f629ac173bd36d84

SHA1
f9caf0d5278921f1db874bf54583837298ecb505

SHA256
ce6d4e857f1687628e885e488e25a0fdc7a5898d90bdfe69075643571f7d2d14

SHA512
d33c882894bd78d8c5a03ee9743023e56a005addb81cbbe67bf317326f322a16f063ea65d13cd3b9944063355fde44a4455abc3364e74dce9642bc19ce88ee05

Download Submit
C:\Users\Admin\Documents\UndoBackup.doc.exe

Filesize
141KB

MD5
d849fc26ac827dc206ade0afd6b35379

SHA1
fd6f431474fb5e6e99e79a57bc2ad26703b42b66

SHA256
22f74f5ebe81e139aa34034e7e19056c755af7f846921bb3c8e7ee1b0f080767

SHA512
0a44701b4a5ceffa5eec743c865320f13565cecbdeec845d9068888160978220d5940c2a6b47a8516086e80ceeeb3a0eb5523fa243e5621cf2f7bfe725d08edc

Download Submit
C:\Windows\SysWOW64\exuerppnfx.exe

Filesize
129KB

MD5
9cc25673c5a939941abdc520a748f4b1

SHA1
1f9c1dc7c9b7cfefbe38864e2084f1f8ea262171

SHA256
60552980d8047342b4c71219af563eeb92bd7f9d53efbc0cc8adec6ee3f27c66

SHA512
bc58a9c52b4f91ce59f1f7a90743046f502a166bcc2b557f4bc58113df94975bd10e21bcef0f77deeb6b66d4fdee7e64b4fc70980532567336fd9b10b2e401ca

Download Submit
C:\Windows\SysWOW64\exuerppnfx.exe

Filesize
64KB

MD5
d76d22b81130bc9206c7c947d7a9ea5e

SHA1
5956e88a6ec7949ce5a350e21703307d855f34b1

SHA256
b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870

SHA512
112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1

Download Submit
C:\Windows\SysWOW64\fumbworqftupr.exe

Filesize
47KB

MD5
518cb5bcbb760bc4abdf346ca6557c33

SHA1
c3c1c47e13906e3f7c3cfa0a1bcefd2682873c15

SHA256
f8c00d90f3cbd4c71ca3e61a5284d5959fdb7559f87e33852a38480b1879ab28

SHA512
d0562330f13e8c987cc26e7ab1d8de46ea13ddf09ede67a0205b7c6b8d6503dcf13e2365c0cb86f629f9bcb186ba89e9a16c7114fba637bc609193ed50fdd0da

Download Submit
C:\Windows\SysWOW64\fumbworqftupr.exe

Filesize
53KB

MD5
82f8e3c76cd57074a4606156cecda15b

SHA1
b1ff3b6ed27c9457079cfeba066e6ce9f1531444

SHA256
d3fa4139eded7491f2e583ac641735fbf6bda629358caffa5bf5b6b2e815c69c

SHA512
f2a8def5b475292fdff6f7bfe123f012c21bea84d2394c59c55f747e28d367150caeeb889f0236eddd92bc1d208e1a801602f2ffc69f9835030b3ba25fe7de47

Download Submit
C:\Windows\SysWOW64\xmeqxjtv.exe

Filesize
68KB

MD5
33a8265ef438507b8190b799b1459f92

SHA1
1a581b01d5613ee448b2c5ad274665e9ab77ada9

SHA256
38518272666478ddf5f6b6f13746107feb829e2d07db2d5058f51e0242d23a2d

SHA512
3ae43d6e12a5aae895bfb214e0d9f84ba1729fd5b8313042416445f666baed08a770a934b56234abaf3efe651c3d02f8f4d17bb80439080875e4033c7ffecd05

Download Submit
C:\Windows\SysWOW64\xmeqxjtv.exe

Filesize
45KB

MD5
d75e2e49480ae8f621116c29c9793456

SHA1
25673f6176020fc53b17107e12092ab2c5a08077

SHA256
0d45a36f1f3e3249954be32a13505081db53f2c15ad93e1e0d0a47c0553d0e20

SHA512
a93c7b2b18c55a9999224df8c59b9c059c31f61c59251890a97082f19625800724e196c644acedd3db076124addc63c55d5981bfc6f721692784df1b991521df

Download Submit
C:\Windows\SysWOW64\xmeqxjtv.exe

Filesize
87KB

MD5
f81ca4958fd0111ddd25ff816357c1eb

SHA1
e9ed8a0e6521185b6e07d43fbad22757ba8ac700

SHA256
ac659675f8e3d05aacfc750e7c61905bb201bcc0fd3905c8651ff048f133bda3

SHA512
2329cabe1607232000dc6e990ba2c276d4d259ac623e97ac75833e706f1723f673d98a05b68579b75e8643a473c9b396b24fda1b7fbe1c9dd95bcc56bee38fd7

Download Submit
C:\Windows\SysWOW64\yzbdqouegnluehr.exe

Filesize
59KB

MD5
e5c0c64dd58350441942cf02eed9af86

SHA1
f6f545eb5ce2d4667c6a3b99dc1e7cf821f1b2c0

SHA256
b6a805564ed01e6281741708dcd2134c7edee1238c5de535900c23a6e0b3d836

SHA512
815cf2d069f153afb9dba22b919b38600b0f69d303143c22422985e374fc407940938aba13e734a454ab07131dea59611666096d6e966b0e7d2fec1d229452fa

Download Submit
C:\Windows\SysWOW64\yzbdqouegnluehr.exe

Filesize
86KB

MD5
b679edda74d295b427eca4b5dc354014

SHA1
d2f6b5a687140e62c9d4400743f5837e6a410b7a

SHA256
e701cfb270ee1288a59603f999abc1a8fc3150b3d50fa3055d3c3eaa5fb24022

SHA512
e77a47762bf7ed239ef411fc253809684aa5a7ab07a1032e8b8919e9ab55b030e41feedd773f957287eec83c2025a0b536ddddf0b38757ffa7fe61b482637f69

Download Submit
C:\Windows\SysWOW64\yzbdqouegnluehr.exe

Filesize
96KB

MD5
2e283cd2589b11283af83d87f383e599

SHA1
e10c52eabd8b52da6b9510f3567966062a631bc1

SHA256
588e3266cd43a4da53c919a16cc78702d3e9dba04f8fee4d20a8efc37dff4343

SHA512
5b764dad6d5da854b4a575a2161ad83814b28fb0a6bf34005af39b2fc2c6e65134fc6482ed8a52f4a46b738b2c6e18f0449c6176e80b414f29df86d44ed35794

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\exuerppnfx.exe

Filesize
96KB

MD5
2f50f5fc45b0fd7b5f20c1fe0c5872c5

SHA1
aaebc4dbeadf0cb9a0d5213b885ff61454d4620e

SHA256
2787e51b74bf8ffa8b12ce436155e60803cad6366f9b376402c008d485a5f154

SHA512
0d29364b03b27d479120827e9a2a028d8c3e027d5dca31efa28800765a5ee8a70b8b917d5ac993e35eebde83013ddc1cc490996caaf8a65202b803465d8fa034

Download Submit
\Windows\SysWOW64\fumbworqftupr.exe

Filesize
70KB

MD5
6ec5c21d9c82e518b5d34a7dd80a99e7

SHA1
b119b8ac11b4110fc68e50c79187e347822f296a

SHA256
8c11333ec56041acd308b8761209d0718844e8bac8cf5a2e83f79a00ca9aee10

SHA512
503c92ab576ec0cc72c767db7680e57b803f2a6225ba151431c263f5e28467ec75cb42351e7ce1fdc54bd4831e163c44f310ac6742814558f49b3e891da37f08

Download Submit
\Windows\SysWOW64\xmeqxjtv.exe

Filesize
63KB

MD5
047e1d46073a811125d0c1367ee31ee5

SHA1
f1359c6938dd91621544cc33f97e3ea32194f65b

SHA256
0600ffd0b13b50f0bb80f5780e9ee899b752690834720c041caa8532da2dd4cb

SHA512
f39c9b4cb21fdf0bda23a722f5b92868839f596ceecc5e0777c7b8dbf52c51d3f0d3c957f5e09a784482752056b96ad9de3af2798938dffb5af514c970b36399

Download Submit
\Windows\SysWOW64\xmeqxjtv.exe

Filesize
95KB

MD5
d185b6428614c792ec53ff961475f7e6

SHA1
80062232504c5da273815f01ae9969d233b191b6

SHA256
9815fe428ed8f0406a29b51647b777454a77615fa3181c2582da4e8352e4aa7f

SHA512
427589ed29d30ac85cefa1d376da5719be5e1705ee0cca182e242375f5f5f85ca3f8c4ce810c9a85de0df4ea293410f569373f21f02b30357371c4d2cd348136

Download Submit
\Windows\SysWOW64\yzbdqouegnluehr.exe

Filesize
95KB

MD5
ed7af3273de3ec56fcf42befbeba8f1e

SHA1
5cdabfa600145f870e1b15627d4af22a5735b033

SHA256
6155fbddab0cd3535038fbfdb65c647bbf5f879bbe5c536acdb39f0f7deb2c2a

SHA512
1c4f4a2c6a2a7babfa5e933fb2268f68ec5a9e757f6b3d054c6ba7779ab2c0723fd4b91ad49633d664161a25876976606ac2e8fec68a3cfb762646a2b4d46ea6

Download Submit
memory/988-91-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/1480-47-0x0000000070DFD000-0x0000000070E08000-memory.dmp

Filesize
44KB

Download
memory/1480-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1480-45-0x000000002F921000-0x000000002F922000-memory.dmp

Filesize
4KB

Download
memory/1480-90-0x0000000070DFD000-0x0000000070E08000-memory.dmp

Filesize
44KB

Download
memory/1824-89-0x0000000003E70000-0x0000000003E71000-memory.dmp

Filesize
4KB

Download
memory/2076-99-0x0000000002640000-0x0000000002650000-memory.dmp

Filesize
64KB

Download
memory/2076-94-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/2076-92-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/2308-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2648-67-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download