Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe
Resource
win10v2004-20250610-en
General
-
Target
2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe
-
Size
512KB
-
MD5
cb4339057f37835db60db37e0723661c
-
SHA1
8d2c86bf354b4999841c03ce50630ea008d52f5b
-
SHA256
187b12e76b28d6c706cd833dccd0ac2a284fc21d3e892e950c3595e5803e82e5
-
SHA512
b8dd316a9c60ecc8be1e34d17782029c2276fd18f51526b215bc0b77cea3b661aac6915abd2d1880fe12fddb724f348c11224d362ee9a6a17c8052f01bb5396e
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" hahskjdzwb.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" hahskjdzwb.exe -
Windows security bypass 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hahskjdzwb.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hahskjdzwb.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000\Control Panel\International\Geo\Nation 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe -
Executes dropped EXE 5 IoCs
pid Process 1588 hahskjdzwb.exe 3436 srhbqidzphxrnge.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 4724 benbqdxb.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" hahskjdzwb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dbsjcwbk = "hahskjdzwb.exe" srhbqidzphxrnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\micrrcgk = "srhbqidzphxrnge.exe" srhbqidzphxrnge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gojgtnjakxrpm.exe" srhbqidzphxrnge.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\x: hahskjdzwb.exe File opened (read-only) \??\k: benbqdxb.exe File opened (read-only) \??\w: benbqdxb.exe File opened (read-only) \??\i: hahskjdzwb.exe File opened (read-only) \??\b: benbqdxb.exe File opened (read-only) \??\l: benbqdxb.exe File opened (read-only) \??\v: benbqdxb.exe File opened (read-only) \??\i: benbqdxb.exe File opened (read-only) \??\u: benbqdxb.exe File opened (read-only) \??\e: hahskjdzwb.exe File opened (read-only) \??\r: hahskjdzwb.exe File opened (read-only) \??\e: benbqdxb.exe File opened (read-only) \??\r: benbqdxb.exe File opened (read-only) \??\s: benbqdxb.exe File opened (read-only) \??\h: hahskjdzwb.exe File opened (read-only) \??\j: hahskjdzwb.exe File opened (read-only) \??\h: benbqdxb.exe File opened (read-only) \??\e: benbqdxb.exe File opened (read-only) \??\w: hahskjdzwb.exe File opened (read-only) \??\p: benbqdxb.exe File opened (read-only) \??\v: benbqdxb.exe File opened (read-only) \??\a: hahskjdzwb.exe File opened (read-only) \??\k: hahskjdzwb.exe File opened (read-only) \??\p: hahskjdzwb.exe File opened (read-only) \??\a: benbqdxb.exe File opened (read-only) \??\m: benbqdxb.exe File opened (read-only) \??\z: benbqdxb.exe File opened (read-only) \??\j: benbqdxb.exe File opened (read-only) \??\x: benbqdxb.exe File opened (read-only) \??\n: hahskjdzwb.exe File opened (read-only) \??\z: hahskjdzwb.exe File opened (read-only) \??\g: benbqdxb.exe File opened (read-only) \??\x: benbqdxb.exe File opened (read-only) \??\u: hahskjdzwb.exe File opened (read-only) \??\o: benbqdxb.exe File opened (read-only) \??\u: benbqdxb.exe File opened (read-only) \??\g: benbqdxb.exe File opened (read-only) \??\h: benbqdxb.exe File opened (read-only) \??\q: benbqdxb.exe File opened (read-only) \??\t: benbqdxb.exe File opened (read-only) \??\o: benbqdxb.exe File opened (read-only) \??\r: benbqdxb.exe File opened (read-only) \??\s: benbqdxb.exe File opened (read-only) \??\l: hahskjdzwb.exe File opened (read-only) \??\q: benbqdxb.exe File opened (read-only) \??\a: benbqdxb.exe File opened (read-only) \??\b: hahskjdzwb.exe File opened (read-only) \??\q: hahskjdzwb.exe File opened (read-only) \??\s: hahskjdzwb.exe File opened (read-only) \??\t: hahskjdzwb.exe File opened (read-only) \??\i: benbqdxb.exe File opened (read-only) \??\k: benbqdxb.exe File opened (read-only) \??\w: benbqdxb.exe File opened (read-only) \??\b: benbqdxb.exe File opened (read-only) \??\p: benbqdxb.exe File opened (read-only) \??\t: benbqdxb.exe File opened (read-only) \??\g: hahskjdzwb.exe File opened (read-only) \??\o: hahskjdzwb.exe File opened (read-only) \??\y: hahskjdzwb.exe File opened (read-only) \??\m: benbqdxb.exe File opened (read-only) \??\n: benbqdxb.exe File opened (read-only) \??\z: benbqdxb.exe File opened (read-only) \??\m: hahskjdzwb.exe File opened (read-only) \??\v: hahskjdzwb.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" hahskjdzwb.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" hahskjdzwb.exe -
AutoIT Executable 11 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1508-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral1/files/0x000700000002411a-5.dat autoit_exe behavioral1/files/0x00040000000232cd-18.dat autoit_exe behavioral1/files/0x000700000002411b-32.dat autoit_exe behavioral1/files/0x000700000002411c-30.dat autoit_exe behavioral1/files/0x0007000000024128-66.dat autoit_exe behavioral1/files/0x0007000000024129-72.dat autoit_exe behavioral1/files/0x0004000000016902-90.dat autoit_exe behavioral1/files/0x00170000000162a4-84.dat autoit_exe behavioral1/files/0x000700000002413e-114.dat autoit_exe behavioral1/files/0x000700000002413e-533.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hahskjdzwb.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\srhbqidzphxrnge.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File created C:\Windows\SysWOW64\benbqdxb.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\benbqdxb.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File created C:\Windows\SysWOW64\gojgtnjakxrpm.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\gojgtnjakxrpm.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll hahskjdzwb.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe benbqdxb.exe File created C:\Windows\SysWOW64\hahskjdzwb.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File created C:\Windows\SysWOW64\srhbqidzphxrnge.exe 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe benbqdxb.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe benbqdxb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe benbqdxb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe benbqdxb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal benbqdxb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal benbqdxb.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe benbqdxb.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe benbqdxb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe benbqdxb.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe benbqdxb.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe benbqdxb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification C:\Windows\mydoc.rtf 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe benbqdxb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe benbqdxb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe benbqdxb.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe benbqdxb.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe benbqdxb.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe benbqdxb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gojgtnjakxrpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language benbqdxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language benbqdxb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language srhbqidzphxrnge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hahskjdzwb.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BB7FF6721A9D273D1A98A7B9161" 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat hahskjdzwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" hahskjdzwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" hahskjdzwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc hahskjdzwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" hahskjdzwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67815E1DBC0B9BD7CE7EDE034BB" 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" hahskjdzwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs hahskjdzwb.exe Key created \REGISTRY\USER\S-1-5-21-155457276-1657131288-1088518942-1000_Classes\Local Settings 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C799C2182256A3776A170222DAD7CF264DB" 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB2B12F47E0399952CFBAD6339DD7C4" 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8FFF88482A856F903CD7297DE6BD97E14658306645623ED799" 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh hahskjdzwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" hahskjdzwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf hahskjdzwb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" hahskjdzwb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg hahskjdzwb.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CDF965F1E0840E3B31869F3EE2B38F02FC4260023BE1BF42E708D6" 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5716 WINWORD.EXE 5716 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 5164 gojgtnjakxrpm.exe 3900 benbqdxb.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 5164 gojgtnjakxrpm.exe 3900 benbqdxb.exe 3900 benbqdxb.exe 3900 benbqdxb.exe 3900 benbqdxb.exe 3900 benbqdxb.exe 3900 benbqdxb.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 4724 benbqdxb.exe 4724 benbqdxb.exe 4724 benbqdxb.exe 4724 benbqdxb.exe 4724 benbqdxb.exe 4724 benbqdxb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 4724 benbqdxb.exe 4724 benbqdxb.exe 4724 benbqdxb.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 3436 srhbqidzphxrnge.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 1588 hahskjdzwb.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 3900 benbqdxb.exe 5164 gojgtnjakxrpm.exe 4724 benbqdxb.exe 4724 benbqdxb.exe 4724 benbqdxb.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE 5716 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1588 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 86 PID 1508 wrote to memory of 1588 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 86 PID 1508 wrote to memory of 1588 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 86 PID 1508 wrote to memory of 3436 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 87 PID 1508 wrote to memory of 3436 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 87 PID 1508 wrote to memory of 3436 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 87 PID 1508 wrote to memory of 3900 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 88 PID 1508 wrote to memory of 3900 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 88 PID 1508 wrote to memory of 3900 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 88 PID 1508 wrote to memory of 5164 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 89 PID 1508 wrote to memory of 5164 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 89 PID 1508 wrote to memory of 5164 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 89 PID 1508 wrote to memory of 5716 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 90 PID 1508 wrote to memory of 5716 1508 2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe 90 PID 1588 wrote to memory of 4724 1588 hahskjdzwb.exe 98 PID 1588 wrote to memory of 4724 1588 hahskjdzwb.exe 98 PID 1588 wrote to memory of 4724 1588 hahskjdzwb.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_cb4339057f37835db60db37e0723661c_elex_stop_yuner.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\hahskjdzwb.exehahskjdzwb.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\benbqdxb.exeC:\Windows\system32\benbqdxb.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4724
-
-
-
C:\Windows\SysWOW64\srhbqidzphxrnge.exesrhbqidzphxrnge.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3436
-
-
C:\Windows\SysWOW64\benbqdxb.exebenbqdxb.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3900
-
-
C:\Windows\SysWOW64\gojgtnjakxrpm.exegojgtnjakxrpm.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5164
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c hahskjdzwb.exe1⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c srhbqidzphxrnge.exe1⤵PID:5112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gojgtnjakxrpm.exe1⤵PID:4736
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD58bc9ce20a892b52912f073225133e47d
SHA195a84c41456625eaa6769496b8ec3b2502b2e45f
SHA256ebc0119d367f832a8db4a89c815beea8d66650d7b150b28d55daaf22576edf17
SHA5121d309c1b13ef309f5784d031650d93534220c39d4c4fe23446954a1605161e6cfa1487104b14f2828e7e637891f5d6152abd5d731cf2dd2a502171576a8db78a
-
Filesize
512KB
MD56aaaa73bcdf7d0206a8b6648c493afeb
SHA1f4b46dea77119ad410c3a8a0f5f893810e7e8f36
SHA256716cabd3fce3bd2c1b16a44529e0eb41127562108caee6dc1d1974eacd45a9f0
SHA51216e58f3820155b242069430bb4f4b5b72b79580f4718c886a9490210b678739578f267c9737501c10ff4bee254bff31f4fbdab992280c7d50a11dee2adbe11bf
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
309B
MD5fed9010112e641295f358cbf2b793a96
SHA10144ae4751bdba4aad32148c024a3597601525ae
SHA25638a70abe1a4c96a41948dfa670d01c46eb131284c87199920b22736c21f531e5
SHA5127f3796b7fe6400d3324092a7e66365d397eb1a32514e35a0e3cf2f38029f96c89b566efdccf0636d7bbe6b6c3ae2ae21285ea5fd6747d927de64dbd39a386a16
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5ef76364b7ae7766287587f2e4be9fba6
SHA1bc8453e008ddd2ebc7b910c3079732f96cdb5d45
SHA2566f026fbdf1e196cdf4a7bb3d041eafc0c2e50d49083fd33ef8f95c93d2ded389
SHA5123ced87a6dd5aeb9cdea60075f98afcb594524bcc17e0ae3d9809b4ce3dae2b490b2796aff2fc01e696a70735fc8d2817d3e66370e079f3f84717378e07bf9765
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD56372b423309cde1c3a913e77833a33c6
SHA125fa14b9b30133137d908aafb6d52dea4bb005ec
SHA2564718d4976171341b22ea4df646a503ed50d8748aef7f37fe6331aef9dc8f763d
SHA5123acf2051969e6c3670d05bd03d284d3f909d416830a2068be7d8e9df9d0d26041a48479333c47faff970e96f7e79e182442f1aa023b66d66ee4af8f538857262
-
Filesize
512KB
MD519d8e04ddfb4a7aa8ea63afaf7f79e06
SHA16e93513a7839464d044086e265df773608c65276
SHA2561e1d23d3f56698088c2a0c8913a46d9fb53018fc3b0899099e89c7cf181f65f3
SHA512bd08d08a0eafe611e7cca9a283d2001eaea6b3cb0f7048678891450df5b3c1817a837242a8a389cb11d8576d169910885b89ad38fb29864d75fff43bb97de5df
-
Filesize
512KB
MD5056b2df0bc8a854869800e9be5198870
SHA12da716acaa3d79598f4382bb5a15e609ebb41ae1
SHA256a4d47b55915381ab5caf05c41f7be607b86e9099123569fc8ee06656e24cf780
SHA5120779713a0de04ce0cf927ebc9ffc93791f71159ca916f64569c035184b49ea854ef6725b2472e1f91decfc4c37033a1b48ac5eedc29676e469fba94778c52dcf
-
Filesize
512KB
MD5da72332f0c19362fa643e25a2b9fdcb3
SHA10866754e780707c92cab21ee6853424f6452b8e7
SHA256a5012d514f1697745c729a8454b09beab6f426e9cb67c86a3ced7b6d90839fce
SHA512a86772698ec80784ab4bcf35d91bcad8b5cfac4302d2656e4f7a58acbb242936b2901a8c3cbc4f6e32cbbea41258233aa7ec91e8d5a1b1527e1721f96713ec71
-
Filesize
512KB
MD544cd7b8ba24e967a8ddf820d8104b0f1
SHA12a901482118893ed40d2923809af8245fb9853c0
SHA2568a129f0bc39a131ad6d7ca89a54218bc8649983548b46dbc9a3d4ab39fb1ebd0
SHA512eea01b9e027469d178726a1b6f1d12528c7482769b1bf179c0f421d7e85a946806a5f1b8f779db61841ab553c11d90208c018455bca2d9c0a3e078343ca344bf
-
Filesize
512KB
MD5bfdd05e3e30de711a0e6a53a4c4fa57c
SHA11f7939530960d821db1b25fb8a6bf8218c87395d
SHA2565f4546864d0c9788f57502316bbbc4e4c0d58cbcc4e9c613c464d63659e17e3c
SHA512022ad307a4d84e67048ef1efc4683403f10a9127d3e90926144ff0ea5d18aba0daeb8c0445ac4232d23d0d68e8c9401a08d27ba61e1de08d2e6ec418ccc0ee77
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD5f441a68ad26fd8ad4dad050f3ed18c1a
SHA1fea19feb4648b52cdf628298121cdc6f56782f9c
SHA25612960947ae2a769c5684f8ad11b0910ce5b917f311d8ca98f607d72c600dbedd
SHA5120b68ef8b0af950e54b58c52f07966c9948295f82fad455ab2bba1051efd502094fa791fc26c2e1c6271de349298f73956ccbfd06478b4a84f520f0fc2ef24cbf
-
Filesize
512KB
MD54ba130c948842e117aed9bff02163fbe
SHA1ca5742b9388dcfdc796da425d2469884d02f7e59
SHA2568bd30ab352b34ad2e0e840b35a7559b912b8aff9f0a4b0a7bc600fa2d14a3664
SHA5121ce9ab9ff645229b8bc7e828a78fbd5331df9974a4ba956b6f1eae24e761a2b28eaa96beb70c2efa8e765a80410e059beb221bb8fdd42f3a7676df1f8cf13ab9
-
Filesize
512KB
MD5807ae0f47448f1c7ffb90dcf7a3c67a5
SHA1ca0f2237f1e38aabc5048f523d453da29cade224
SHA25633303182d446da2e3e5263337ba4d9af680d5eccf6efff1700b5343dfbc258e3
SHA5121874d1380611dfcd82abcc81e12f6ecf3a14536a239eacab63fb0f8c95d497486cc123641561776f3989d669a6d022664366bf88cebacd1dd73276da860e3fc3