Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
ab6b87a8ef210e5c047f565cd76a0a1f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ab6b87a8ef210e5c047f565cd76a0a1f.exe
Resource
win10v2004-20231215-en
General
-
Target
ab6b87a8ef210e5c047f565cd76a0a1f.exe
-
Size
512KB
-
MD5
ab6b87a8ef210e5c047f565cd76a0a1f
-
SHA1
a760eecc424853e684a357082d1aca3302f579a7
-
SHA256
1474f25f1f927dcea56a12f600530547de3fa6a226474b3459425ec4145bb226
-
SHA512
21899007f1fa298fc7688f51693662c2e3f01dc5d5ce96a3cee4bb3850c4d72c14d2c48f51fb04b4cf7f82828f6afd1d92e362decf0eeabf19abadc3b42f854f
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zzpxpuafcp.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zzpxpuafcp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zzpxpuafcp.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zzpxpuafcp.exe -
Modifies Installed Components in the registry 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 5 IoCs
pid Process 2828 zzpxpuafcp.exe 2708 nzpuyraiesbvscj.exe 2736 jvltsuyd.exe 2488 apdlrggrqwckd.exe 2596 jvltsuyd.exe -
Loads dropped DLL 5 IoCs
pid Process 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 2828 zzpxpuafcp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zzpxpuafcp.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jhhyblmp = "zzpxpuafcp.exe" nzpuyraiesbvscj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dvbscfqa = "nzpuyraiesbvscj.exe" nzpuyraiesbvscj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "apdlrggrqwckd.exe" nzpuyraiesbvscj.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\v: zzpxpuafcp.exe File opened (read-only) \??\w: zzpxpuafcp.exe File opened (read-only) \??\i: jvltsuyd.exe File opened (read-only) \??\u: jvltsuyd.exe File opened (read-only) \??\s: jvltsuyd.exe File opened (read-only) \??\v: jvltsuyd.exe File opened (read-only) \??\b: zzpxpuafcp.exe File opened (read-only) \??\l: zzpxpuafcp.exe File opened (read-only) \??\u: zzpxpuafcp.exe File opened (read-only) \??\l: jvltsuyd.exe File opened (read-only) \??\l: jvltsuyd.exe File opened (read-only) \??\x: jvltsuyd.exe File opened (read-only) \??\y: jvltsuyd.exe File opened (read-only) \??\n: zzpxpuafcp.exe File opened (read-only) \??\s: zzpxpuafcp.exe File opened (read-only) \??\e: jvltsuyd.exe File opened (read-only) \??\r: jvltsuyd.exe File opened (read-only) \??\m: jvltsuyd.exe File opened (read-only) \??\n: jvltsuyd.exe File opened (read-only) \??\p: zzpxpuafcp.exe File opened (read-only) \??\q: zzpxpuafcp.exe File opened (read-only) \??\j: jvltsuyd.exe File opened (read-only) \??\k: jvltsuyd.exe File opened (read-only) \??\g: jvltsuyd.exe File opened (read-only) \??\z: jvltsuyd.exe File opened (read-only) \??\m: jvltsuyd.exe File opened (read-only) \??\q: jvltsuyd.exe File opened (read-only) \??\v: jvltsuyd.exe File opened (read-only) \??\w: jvltsuyd.exe File opened (read-only) \??\k: zzpxpuafcp.exe File opened (read-only) \??\h: jvltsuyd.exe File opened (read-only) \??\r: zzpxpuafcp.exe File opened (read-only) \??\g: jvltsuyd.exe File opened (read-only) \??\t: jvltsuyd.exe File opened (read-only) \??\r: jvltsuyd.exe File opened (read-only) \??\p: jvltsuyd.exe File opened (read-only) \??\u: jvltsuyd.exe File opened (read-only) \??\o: zzpxpuafcp.exe File opened (read-only) \??\z: zzpxpuafcp.exe File opened (read-only) \??\y: jvltsuyd.exe File opened (read-only) \??\p: jvltsuyd.exe File opened (read-only) \??\t: zzpxpuafcp.exe File opened (read-only) \??\y: zzpxpuafcp.exe File opened (read-only) \??\b: jvltsuyd.exe File opened (read-only) \??\t: jvltsuyd.exe File opened (read-only) \??\e: jvltsuyd.exe File opened (read-only) \??\q: jvltsuyd.exe File opened (read-only) \??\s: jvltsuyd.exe File opened (read-only) \??\j: zzpxpuafcp.exe File opened (read-only) \??\x: zzpxpuafcp.exe File opened (read-only) \??\n: jvltsuyd.exe File opened (read-only) \??\o: jvltsuyd.exe File opened (read-only) \??\m: zzpxpuafcp.exe File opened (read-only) \??\a: jvltsuyd.exe File opened (read-only) \??\h: jvltsuyd.exe File opened (read-only) \??\i: jvltsuyd.exe File opened (read-only) \??\o: jvltsuyd.exe File opened (read-only) \??\w: jvltsuyd.exe File opened (read-only) \??\g: zzpxpuafcp.exe File opened (read-only) \??\j: jvltsuyd.exe File opened (read-only) \??\k: jvltsuyd.exe File opened (read-only) \??\b: jvltsuyd.exe File opened (read-only) \??\z: jvltsuyd.exe File opened (read-only) \??\a: zzpxpuafcp.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zzpxpuafcp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zzpxpuafcp.exe -
AutoIT Executable 17 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3016-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000b000000012242-17.dat autoit_exe behavioral1/files/0x000c000000012695-22.dat autoit_exe behavioral1/files/0x0007000000015d17-34.dat autoit_exe behavioral1/files/0x000c000000012695-33.dat autoit_exe behavioral1/files/0x0034000000015c9e-39.dat autoit_exe behavioral1/files/0x0007000000015d17-44.dat autoit_exe behavioral1/files/0x0034000000015c9e-42.dat autoit_exe behavioral1/files/0x0034000000015c9e-41.dat autoit_exe behavioral1/files/0x0007000000015d17-38.dat autoit_exe behavioral1/files/0x0034000000015c9e-31.dat autoit_exe behavioral1/files/0x000c000000012695-25.dat autoit_exe behavioral1/files/0x000b000000012242-26.dat autoit_exe behavioral1/files/0x0034000000015c9e-28.dat autoit_exe behavioral1/files/0x000b000000012242-20.dat autoit_exe behavioral1/files/0x000c000000012695-5.dat autoit_exe behavioral1/files/0x0006000000016d08-73.dat autoit_exe -
Drops file in System32 directory 9 IoCs
description ioc Process File created C:\Windows\SysWOW64\zzpxpuafcp.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File created C:\Windows\SysWOW64\nzpuyraiesbvscj.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File created C:\Windows\SysWOW64\apdlrggrqwckd.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File opened for modification C:\Windows\SysWOW64\apdlrggrqwckd.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zzpxpuafcp.exe File opened for modification C:\Windows\SysWOW64\zzpxpuafcp.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File opened for modification C:\Windows\SysWOW64\nzpuyraiesbvscj.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File created C:\Windows\SysWOW64\jvltsuyd.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe File opened for modification C:\Windows\SysWOW64\jvltsuyd.exe ab6b87a8ef210e5c047f565cd76a0a1f.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal jvltsuyd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jvltsuyd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jvltsuyd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jvltsuyd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal jvltsuyd.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe jvltsuyd.exe File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jvltsuyd.exe File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe jvltsuyd.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\mydoc.rtf ab6b87a8ef210e5c047f565cd76a0a1f.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Office loads VBA resources, possible macro or embedded object present
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zzpxpuafcp.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zzpxpuafcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70C15E0DBC3B8BE7CE2EC9F34C8" ab6b87a8ef210e5c047f565cd76a0a1f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zzpxpuafcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9BEFE14F2E584793A43869A3998B08A038C4311023FE2CD429C08A0" ab6b87a8ef210e5c047f565cd76a0a1f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zzpxpuafcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zzpxpuafcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BC4FE6C22D1D272D0A28A74906A" ab6b87a8ef210e5c047f565cd76a0a1f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zzpxpuafcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zzpxpuafcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zzpxpuafcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2388 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2708 nzpuyraiesbvscj.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1376 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 1000 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe Token: SeShutdownPrivilege 996 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 996 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2828 zzpxpuafcp.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2708 nzpuyraiesbvscj.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2736 jvltsuyd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2488 apdlrggrqwckd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 2596 jvltsuyd.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1376 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 1000 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe 996 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2388 WINWORD.EXE 2388 WINWORD.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2828 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 25 PID 3016 wrote to memory of 2828 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 25 PID 3016 wrote to memory of 2828 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 25 PID 3016 wrote to memory of 2828 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 25 PID 3016 wrote to memory of 2708 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 24 PID 3016 wrote to memory of 2708 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 24 PID 3016 wrote to memory of 2708 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 24 PID 3016 wrote to memory of 2708 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 24 PID 3016 wrote to memory of 2736 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 23 PID 3016 wrote to memory of 2736 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 23 PID 3016 wrote to memory of 2736 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 23 PID 3016 wrote to memory of 2736 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 23 PID 2708 wrote to memory of 2604 2708 nzpuyraiesbvscj.exe 20 PID 2708 wrote to memory of 2604 2708 nzpuyraiesbvscj.exe 20 PID 2708 wrote to memory of 2604 2708 nzpuyraiesbvscj.exe 20 PID 2708 wrote to memory of 2604 2708 nzpuyraiesbvscj.exe 20 PID 3016 wrote to memory of 2488 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 17 PID 3016 wrote to memory of 2488 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 17 PID 3016 wrote to memory of 2488 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 17 PID 3016 wrote to memory of 2488 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 17 PID 2828 wrote to memory of 2596 2828 zzpxpuafcp.exe 19 PID 2828 wrote to memory of 2596 2828 zzpxpuafcp.exe 19 PID 2828 wrote to memory of 2596 2828 zzpxpuafcp.exe 19 PID 2828 wrote to memory of 2596 2828 zzpxpuafcp.exe 19 PID 3016 wrote to memory of 2388 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 18 PID 3016 wrote to memory of 2388 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 18 PID 3016 wrote to memory of 2388 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 18 PID 3016 wrote to memory of 2388 3016 ab6b87a8ef210e5c047f565cd76a0a1f.exe 18 PID 2388 wrote to memory of 2928 2388 WINWORD.EXE 39 PID 2388 wrote to memory of 2928 2388 WINWORD.EXE 39 PID 2388 wrote to memory of 2928 2388 WINWORD.EXE 39 PID 2388 wrote to memory of 2928 2388 WINWORD.EXE 39 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab6b87a8ef210e5c047f565cd76a0a1f.exe"C:\Users\Admin\AppData\Local\Temp\ab6b87a8ef210e5c047f565cd76a0a1f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\apdlrggrqwckd.exeapdlrggrqwckd.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2488
-
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2928
-
-
-
C:\Windows\SysWOW64\jvltsuyd.exejvltsuyd.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
-
-
C:\Windows\SysWOW64\nzpuyraiesbvscj.exenzpuyraiesbvscj.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708
-
-
C:\Windows\SysWOW64\zzpxpuafcp.exezzpxpuafcp.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828
-
-
C:\Windows\SysWOW64\jvltsuyd.exeC:\Windows\system32\jvltsuyd.exe1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596
-
C:\Windows\SysWOW64\cmd.execmd.exe /c apdlrggrqwckd.exe1⤵PID:2604
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1000
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:996
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5b5addadae5c1a41dc5359783d76dccb4
SHA1867fe3224b46cbb2f50c96d393ca17d50b043e00
SHA25670330982608413acd92a9a87b764907e7df03dc6b245fc44b64eaa912ded4c64
SHA512a1171fc317331330a31186e0919fc1c71ab260bf813b98b5f85433785ebfa9df8afe09dc54fb5715aac921ff9a0c3eec101677fae77875223d649aefce7fc34f
-
Filesize
34KB
MD5a07b8a6a02acfaa14cb1c447196d78ea
SHA133856afd7a1de92a0d49b2a697ee84b56c58d7bb
SHA25622bdad5af5d56021fbcb6704d154077a027ac86a5954b7b37aad905799d17949
SHA512207c50691db178673bc12e4e44e62c4ad498279276c04f3bb5c0ddeb34a22407588ce9d6a20d4ea6e9d8ecbd1c830d7f0bbda56d6b8c47fcd814c8439c8b9271
-
Filesize
86KB
MD5b39657a2ccf130086f58eeb184f2f073
SHA167db059b9e5ed1c1b754b9332f114b8cd36d7f26
SHA256c5ca81c8eba594e625affcf25709b16f78628e606931f3f1d11275cd3f36b627
SHA51297d3fad06f8620bd90c07bf516afc51d0f40d8fe8cd47c41d7d57ecc33084969fd22592b4cbccb359ea8e66320aa2165a926be7079da6024653eb246a3c57a0c
-
Filesize
81KB
MD5876ba27d8b3800a4f69324dea397c877
SHA18c47ad648fb3264bba8430d5cdffe1705259f7a8
SHA256fd24f824a6fe8c40269e2cad859ccc958e604712c822cfd54e9f7337ecf85172
SHA51272d274a4dd4ba2f8828a191b8b46b6e1bfcd0bab54e18543e69f17403dc771c4e6f9e98d3c250fff8d93c4d433a0657060d0e791d6e0c89a2149c9159c9cfd20
-
Filesize
74KB
MD59a43be07b744a39f6fd32b78ce8cb23e
SHA14dd2ced60c46f0394ae8751e68fdb5f0bd94b4b3
SHA256f7b32d21fd3069d66dd51543224aca4ed176c7e24989ca4caa61d9effe3cc2b7
SHA512e46acc7c6d23766501e0e79751981a2da2ace37d82851f2f6f941fbbc4ad2ac7490037c48cd0f3a96225dc63039511eb26f2c2a2b415f2d3947ca8ae29351265
-
Filesize
97KB
MD5f3a0150b0b0e4c49ca0b0868a89a0410
SHA1527f30d7bb83f62659c5ee6f4589003d3ddb2221
SHA256415b93f11f2869a0092ff6610a0913bf875049ccc519f293198e30739cc5face
SHA51281e72b0b3eaedb72d7945ac8205060ffd6a065369c409f92df807f7237bfe064dea489aea00cb0dfd6109fe4826f535ada7f8fa01988d797a04384cdde8878d0
-
Filesize
69KB
MD559b27545f6774df170f6e029fbea9c1d
SHA169f177a30d45be612d3d2ae7d09a6e9c4d44db1f
SHA2562079811ff3b903d8e4231cbe6100f81601813738ea49b22ce781101007400770
SHA512272fa9ff843bbb87f9742c756951a9c4f09746a78a915bb6a648b5c1e21c79a0432301d1f156cc1e26bee8de2bf27f6e2fd2d10668e6cf57bbdcf954f2453b89
-
Filesize
44KB
MD56e42e2765ed3840a79e984c6c1b92445
SHA19ce1ae3ef0ccfa798e440c51c8e52704ed7333b6
SHA2563263f5b73396cbe768f0602a961dea4bbeb477d6fcedf31ae8da1d3475ae1ad3
SHA512d79d92d28058fdde7c34109359f46fa78b6e31f0a016f72f67fcfea21622cacc48ea4dd98b2e30f793e86594b785091126b7de77862705ba1576d6ff0b04c93e
-
Filesize
318KB
MD5a68136f45c4323f9dc17f6607de98e51
SHA1612eeb3d0f808d28c060a65b81032c9a7a75cd9a
SHA2565ccdeee55769ca75dc0c8eb81b38db4279f40f1ba2c5377938520b2dce24dce7
SHA512016ec9bac4b4ae869e1d40c4b1e06ed04222c93578fbf57567a2b2ec5a178a19a1557dd683ec0ff7feb4193917eefa7166fab2f966012fff0d1a67aa8f369dd5
-
Filesize
281KB
MD5798e4b5770f7973cfa95c8f2cacc869c
SHA12dcb002bf23a5be39ffd6a3cf9013c7958b9add7
SHA256f98ef4d5c3fa996fa199ef20542a81a6ae3a76e58d2d6d27ebb1e40b273da38c
SHA512cadf010d2aa79eb4b66c8f1344bce9b3953297ef48e92e09e66009d03fc293dbdd1c7810e384ce6e0b749c22c44ac1a338af61c56fa089d9062fe2b86d70e311
-
Filesize
132KB
MD5e67ace7436ff24488c9f04ae953eac74
SHA1f68fd80e760e45b3ebb593db09e87a0096f4b340
SHA256a6a76b0a7689a47e8be675e05ca2307eccac3c451beba8f7a2ec75138b2627cf
SHA5120e3f661d3cd95abff1cec613c0b8b5bf70613a0fa678039b9a0ef6f0f83fc6b20b49feca771fb350a958fe7558cfc540e0cdd56d1efe9d72448fa5c3bc55faf9
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
28KB
MD54f48933a4f80218441168a3b616d6a32
SHA1545cd2768a3d4cd109b7fe7a5640d8290c261962
SHA256fca12dbc8cceadbb3618da213bc11a01962fb703dfb24f997f9875ca95d6666b
SHA5128f6fdc96e5c993f5b425cb5df06bb614109b5a9255620c794e794feb5d653554cb98dc1b52dff3b5bbbbdb6ed7fc06adcf91e89071789a8e24caf6104fd5b501
-
Filesize
228KB
MD517ae4b1db52054219a7e49f0ce1f32d7
SHA15c60a6650a6c358bd4f04ffa0dd590a49aec01cb
SHA2566c7cfcce878333ad1fc97ca5ebfa24dbbdbcb6a16f7a113116b1b7e9c8a598a0
SHA512ac5923aa3480292543bcaa85b9ce01461402f833e3c8290febc492bb225862ca3b76903a540ae8737f66456276bdaf80b9a1175913c8139c9b64db2840e0b46a
-
Filesize
85KB
MD527623bf17711551baa843bbab18a4b07
SHA12d6d50bab42c5defdd9bdf3f14fb826853558392
SHA2566a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368
SHA51253f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b
-
Filesize
34KB
MD5b034eb39fa2e13db766f27eb7d6dad8d
SHA19a95ed9bec3bfad89d8191d59a29efbf0403696a
SHA256cddf8a49033718d91ae300e3ad8cffc145214b67cb3d13873806737e6df9030f
SHA512b0654979485335772ad89a3e86ca9c0cf48387322de1a5447d8cb2545860b142f96e45bd8cb14b3d3f66d59d987250bc07212c7eb9a7dde4d4120d0ad87ef317
-
Filesize
59KB
MD50e6183c8138efaaf0d56f4a1aead56c0
SHA11d5899fab32e0b572b00280f0be352836b49a890
SHA2563e512f8c572e2047d90455c10f1723208ab0012f7a107eda4813bc2d167e2eeb
SHA512d8781af9f5366b9ac625ca59830c5bbcfb00e1c20835b06c28dbd3da5d9b700bce47c3e4bf9d39e8d0bf9d395a3c69055487fa84dc75cd1bee695dac0373d9ae