f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda

Analysis

max time kernel
256s
max time network
336s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
Size

255KB
MD5

615b30fa89b7016bad71d76871afc3f9
SHA1

2e09693fb4b0867e65303c7033d7668bf44e9f37
SHA256

f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda
SHA512

87359b3cced4867c4b3386c1994ba6c135e884e872c38652cdbaa02179538f5f14af00ae4bf0013e2d6c37ee72aff096f8bfc215834b7576439690377b14cc8c
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJY:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIn

Score

10^/10

evasion persistence trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fmbcqeshgf.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fmbcqeshgf.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fmbcqeshgf.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fmbcqeshgf.exe

Executes dropped EXE 5 IoCs

pid	Process
1116	fmbcqeshgf.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
604	ujmobwod.exe
1524	ujmobwod.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/560-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000a000000013a0e-56.dat	upx
behavioral1/memory/560-57-0x0000000002F80000-0x0000000003020000-memory.dmp	upx
behavioral1/memory/560-58-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000800000001412f-61.dat	upx
behavioral1/files/0x000a000000013a0e-60.dat	upx
behavioral1/files/0x000800000001412f-64.dat	upx
behavioral1/memory/1116-66-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000700000001415d-74.dat	upx
behavioral1/files/0x0007000000014240-73.dat	upx
behavioral1/files/0x000800000001412f-72.dat	upx
behavioral1/memory/1264-71-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0007000000014240-69.dat	upx
behavioral1/files/0x000700000001415d-67.dat	upx
behavioral1/files/0x000a000000013a0e-77.dat	upx
behavioral1/files/0x0007000000014240-79.dat	upx
behavioral1/files/0x000700000001415d-80.dat	upx
behavioral1/files/0x000700000001415d-81.dat	upx
behavioral1/files/0x000700000001415d-83.dat	upx
behavioral1/memory/560-86-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/640-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1524-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1116-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1264-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/604-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/640-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1524-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
1116	fmbcqeshgf.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fmbcqeshgf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sfenuxck = "xulqhenvlinhszp.exe"	xulqhenvlinhszp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "hgkessioxzpdo.exe"	xulqhenvlinhszp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	xulqhenvlinhszp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\psixcdcj = "fmbcqeshgf.exe"	xulqhenvlinhszp.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	ujmobwod.exe
File opened (read-only)	\??\p:	fmbcqeshgf.exe
File opened (read-only)	\??\i:	ujmobwod.exe
File opened (read-only)	\??\y:	ujmobwod.exe
File opened (read-only)	\??\f:	ujmobwod.exe
File opened (read-only)	\??\m:	ujmobwod.exe
File opened (read-only)	\??\n:	ujmobwod.exe
File opened (read-only)	\??\s:	ujmobwod.exe
File opened (read-only)	\??\q:	ujmobwod.exe
File opened (read-only)	\??\i:	ujmobwod.exe
File opened (read-only)	\??\u:	ujmobwod.exe
File opened (read-only)	\??\x:	ujmobwod.exe
File opened (read-only)	\??\z:	ujmobwod.exe
File opened (read-only)	\??\v:	fmbcqeshgf.exe
File opened (read-only)	\??\j:	ujmobwod.exe
File opened (read-only)	\??\a:	ujmobwod.exe
File opened (read-only)	\??\q:	ujmobwod.exe
File opened (read-only)	\??\l:	fmbcqeshgf.exe
File opened (read-only)	\??\x:	fmbcqeshgf.exe
File opened (read-only)	\??\b:	ujmobwod.exe
File opened (read-only)	\??\v:	ujmobwod.exe
File opened (read-only)	\??\f:	ujmobwod.exe
File opened (read-only)	\??\i:	fmbcqeshgf.exe
File opened (read-only)	\??\u:	fmbcqeshgf.exe
File opened (read-only)	\??\p:	ujmobwod.exe
File opened (read-only)	\??\f:	fmbcqeshgf.exe
File opened (read-only)	\??\r:	fmbcqeshgf.exe
File opened (read-only)	\??\g:	ujmobwod.exe
File opened (read-only)	\??\u:	ujmobwod.exe
File opened (read-only)	\??\k:	ujmobwod.exe
File opened (read-only)	\??\y:	ujmobwod.exe
File opened (read-only)	\??\t:	fmbcqeshgf.exe
File opened (read-only)	\??\a:	ujmobwod.exe
File opened (read-only)	\??\h:	ujmobwod.exe
File opened (read-only)	\??\r:	ujmobwod.exe
File opened (read-only)	\??\b:	ujmobwod.exe
File opened (read-only)	\??\e:	ujmobwod.exe
File opened (read-only)	\??\s:	ujmobwod.exe
File opened (read-only)	\??\w:	ujmobwod.exe
File opened (read-only)	\??\a:	fmbcqeshgf.exe
File opened (read-only)	\??\b:	fmbcqeshgf.exe
File opened (read-only)	\??\m:	ujmobwod.exe
File opened (read-only)	\??\n:	ujmobwod.exe
File opened (read-only)	\??\k:	fmbcqeshgf.exe
File opened (read-only)	\??\e:	fmbcqeshgf.exe
File opened (read-only)	\??\s:	fmbcqeshgf.exe
File opened (read-only)	\??\t:	ujmobwod.exe
File opened (read-only)	\??\n:	fmbcqeshgf.exe
File opened (read-only)	\??\l:	ujmobwod.exe
File opened (read-only)	\??\h:	ujmobwod.exe
File opened (read-only)	\??\j:	ujmobwod.exe
File opened (read-only)	\??\r:	ujmobwod.exe
File opened (read-only)	\??\v:	ujmobwod.exe
File opened (read-only)	\??\h:	fmbcqeshgf.exe
File opened (read-only)	\??\m:	fmbcqeshgf.exe
File opened (read-only)	\??\o:	ujmobwod.exe
File opened (read-only)	\??\p:	ujmobwod.exe
File opened (read-only)	\??\z:	ujmobwod.exe
File opened (read-only)	\??\g:	fmbcqeshgf.exe
File opened (read-only)	\??\q:	fmbcqeshgf.exe
File opened (read-only)	\??\w:	fmbcqeshgf.exe
File opened (read-only)	\??\e:	ujmobwod.exe
File opened (read-only)	\??\k:	ujmobwod.exe
File opened (read-only)	\??\x:	ujmobwod.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	fmbcqeshgf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	fmbcqeshgf.exe

AutoIT Executable 12 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/560-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/560-58-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1116-66-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1264-71-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/560-86-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/640-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1524-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1116-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1264-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/604-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/640-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1524-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fmbcqeshgf.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File created	C:\Windows\SysWOW64\ujmobwod.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File created	C:\Windows\SysWOW64\hgkessioxzpdo.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File opened for modification	C:\Windows\SysWOW64\hgkessioxzpdo.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	fmbcqeshgf.exe
File created	C:\Windows\SysWOW64\fmbcqeshgf.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File created	C:\Windows\SysWOW64\xulqhenvlinhszp.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File opened for modification	C:\Windows\SysWOW64\xulqhenvlinhszp.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
File opened for modification	C:\Windows\SysWOW64\ujmobwod.exe	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	fmbcqeshgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F168B6FE6D22D0D273D0D18A7A9160"	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C0C9C5283256D4676D577252CD67DF264DF"	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	fmbcqeshgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF9FFFB482B856D9042D65D7D9CBDE2E643583666476343D79B"	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB7B12047E339ED53CCB9D5329AD7BB"	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	fmbcqeshgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1144	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
604	ujmobwod.exe
604	ujmobwod.exe
604	ujmobwod.exe
604	ujmobwod.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
1524	ujmobwod.exe
1524	ujmobwod.exe
1524	ujmobwod.exe
1524	ujmobwod.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
1264	xulqhenvlinhszp.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
604	ujmobwod.exe
604	ujmobwod.exe
604	ujmobwod.exe
1524	ujmobwod.exe
1524	ujmobwod.exe
1524	ujmobwod.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1264	xulqhenvlinhszp.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
1116	fmbcqeshgf.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
640	hgkessioxzpdo.exe
604	ujmobwod.exe
604	ujmobwod.exe
604	ujmobwod.exe
1524	ujmobwod.exe
1524	ujmobwod.exe
1524	ujmobwod.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1144	WINWORD.EXE
1144	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1116	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	28
PID 560 wrote to memory of 1116	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	28
PID 560 wrote to memory of 1116	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	28
PID 560 wrote to memory of 1116	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	28
PID 560 wrote to memory of 1264	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	29
PID 560 wrote to memory of 1264	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	29
PID 560 wrote to memory of 1264	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	29
PID 560 wrote to memory of 1264	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	29
PID 560 wrote to memory of 604	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	30
PID 560 wrote to memory of 604	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	30
PID 560 wrote to memory of 604	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	30
PID 560 wrote to memory of 604	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	30
PID 560 wrote to memory of 640	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	31
PID 560 wrote to memory of 640	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	31
PID 560 wrote to memory of 640	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	31
PID 560 wrote to memory of 640	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	31
PID 1116 wrote to memory of 1524	1116	fmbcqeshgf.exe	32
PID 1116 wrote to memory of 1524	1116	fmbcqeshgf.exe	32
PID 1116 wrote to memory of 1524	1116	fmbcqeshgf.exe	32
PID 1116 wrote to memory of 1524	1116	fmbcqeshgf.exe	32
PID 560 wrote to memory of 1144	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	33
PID 560 wrote to memory of 1144	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	33
PID 560 wrote to memory of 1144	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	33
PID 560 wrote to memory of 1144	560	f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe	33
PID 1144 wrote to memory of 1428	1144	WINWORD.EXE	36
PID 1144 wrote to memory of 1428	1144	WINWORD.EXE	36
PID 1144 wrote to memory of 1428	1144	WINWORD.EXE	36
PID 1144 wrote to memory of 1428	1144	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe
"C:\Users\Admin\AppData\Local\Temp\f9e931e26ba173356b4527a9d49d7b5162af2768f30c8da3919c5e26c1f76cda.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\fmbcqeshgf.exe
  fmbcqeshgf.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\ujmobwod.exe
    C:\Windows\system32\ujmobwod.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1524
- C:\Windows\SysWOW64\xulqhenvlinhszp.exe
  xulqhenvlinhszp.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1264
- C:\Windows\SysWOW64\ujmobwod.exe
  ujmobwod.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:604
- C:\Windows\SysWOW64\hgkessioxzpdo.exe
  hgkessioxzpdo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:640
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fmbcqeshgf.exe

Filesize
255KB

MD5
31a732dbe51e282d4fdb1d276f6cb645

SHA1
354f1fb7d329f7f40a4fef2d67a445e207f3d91c

SHA256
7fa0f7cce508b18715b55094b59ca5835623f8e2f740b51856287ae783b37561

SHA512
9aed6decc15df27dc1c0c85a6662bb45fa09d877b16b08217f884350b8cd3ec870429da1715e5513b50883714e790e9aaeac749bc205df2f722c13f9d24b1c2e

Download Submit
C:\Windows\SysWOW64\fmbcqeshgf.exe

Filesize
255KB

MD5
31a732dbe51e282d4fdb1d276f6cb645

SHA1
354f1fb7d329f7f40a4fef2d67a445e207f3d91c

SHA256
7fa0f7cce508b18715b55094b59ca5835623f8e2f740b51856287ae783b37561

SHA512
9aed6decc15df27dc1c0c85a6662bb45fa09d877b16b08217f884350b8cd3ec870429da1715e5513b50883714e790e9aaeac749bc205df2f722c13f9d24b1c2e

Download Submit
C:\Windows\SysWOW64\hgkessioxzpdo.exe

Filesize
255KB

MD5
5a89aeb2451ee71855d9c1b00b395627

SHA1
bd182af45ec13fd93e9918af8d0dd88c5922d684

SHA256
bb7b8bd71ddf1df479de28fa6e8c7c19f26993b29dc0b389ec49fc884d643ad2

SHA512
b05ac92bad39288fbfa6eee1cd4c2572e558ee36875d288a055d7d2c84d5deff40b848e5ec39766f8813d0e8152c5137c2f3b72e9764b3e24d78d0b970c0bfac

Download Submit
C:\Windows\SysWOW64\hgkessioxzpdo.exe

Filesize
255KB

MD5
5a89aeb2451ee71855d9c1b00b395627

SHA1
bd182af45ec13fd93e9918af8d0dd88c5922d684

SHA256
bb7b8bd71ddf1df479de28fa6e8c7c19f26993b29dc0b389ec49fc884d643ad2

SHA512
b05ac92bad39288fbfa6eee1cd4c2572e558ee36875d288a055d7d2c84d5deff40b848e5ec39766f8813d0e8152c5137c2f3b72e9764b3e24d78d0b970c0bfac

Download Submit
C:\Windows\SysWOW64\ujmobwod.exe

Filesize
255KB

MD5
89b22fa11f313cd1eec16fbf3e4f3063

SHA1
e7c184aa1af0ea88549d34491d3ee502a8b71a7a

SHA256
676f7661991b0453079bf6ff54dc1123981604a3f5868b6d16d634e180d09040

SHA512
dc4eef7fee454a0f8e6a0a57c3a30d9f293e077c213e6265c187c2cc7db75e4eddbd32a0475f728443077ff9e280aa016462609d1483de2abe6db0446a8e273e

Download Submit
C:\Windows\SysWOW64\ujmobwod.exe

Filesize
255KB

MD5
89b22fa11f313cd1eec16fbf3e4f3063

SHA1
e7c184aa1af0ea88549d34491d3ee502a8b71a7a

SHA256
676f7661991b0453079bf6ff54dc1123981604a3f5868b6d16d634e180d09040

SHA512
dc4eef7fee454a0f8e6a0a57c3a30d9f293e077c213e6265c187c2cc7db75e4eddbd32a0475f728443077ff9e280aa016462609d1483de2abe6db0446a8e273e

Download Submit
C:\Windows\SysWOW64\ujmobwod.exe

Filesize
255KB

MD5
89b22fa11f313cd1eec16fbf3e4f3063

SHA1
e7c184aa1af0ea88549d34491d3ee502a8b71a7a

SHA256
676f7661991b0453079bf6ff54dc1123981604a3f5868b6d16d634e180d09040

SHA512
dc4eef7fee454a0f8e6a0a57c3a30d9f293e077c213e6265c187c2cc7db75e4eddbd32a0475f728443077ff9e280aa016462609d1483de2abe6db0446a8e273e

Download Submit
C:\Windows\SysWOW64\xulqhenvlinhszp.exe

Filesize
255KB

MD5
627dc2788c50453087f1efd614f72232

SHA1
499d3a789441a95692ed5ce32b43795f5b8fd025

SHA256
0ace8665b2cc32979ec7ab9991724cb1947fd241b316f4127eb7e932c7f82edb

SHA512
e696bc9c82c785b8e636a4f2477ebdb7a9b00b0805719ee6c7fee37fa190ba0f5cf25644e0fdcb5c0d6657e0008ceb6ee0e1f6d22ab4824c1fb766fcbeac71f6

Download Submit
C:\Windows\SysWOW64\xulqhenvlinhszp.exe

Filesize
255KB

MD5
627dc2788c50453087f1efd614f72232

SHA1
499d3a789441a95692ed5ce32b43795f5b8fd025

SHA256
0ace8665b2cc32979ec7ab9991724cb1947fd241b316f4127eb7e932c7f82edb

SHA512
e696bc9c82c785b8e636a4f2477ebdb7a9b00b0805719ee6c7fee37fa190ba0f5cf25644e0fdcb5c0d6657e0008ceb6ee0e1f6d22ab4824c1fb766fcbeac71f6

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\fmbcqeshgf.exe

Filesize
255KB

MD5
31a732dbe51e282d4fdb1d276f6cb645

SHA1
354f1fb7d329f7f40a4fef2d67a445e207f3d91c

SHA256
7fa0f7cce508b18715b55094b59ca5835623f8e2f740b51856287ae783b37561

SHA512
9aed6decc15df27dc1c0c85a6662bb45fa09d877b16b08217f884350b8cd3ec870429da1715e5513b50883714e790e9aaeac749bc205df2f722c13f9d24b1c2e

Download Submit
\Windows\SysWOW64\hgkessioxzpdo.exe

Filesize
255KB

MD5
5a89aeb2451ee71855d9c1b00b395627

SHA1
bd182af45ec13fd93e9918af8d0dd88c5922d684

SHA256
bb7b8bd71ddf1df479de28fa6e8c7c19f26993b29dc0b389ec49fc884d643ad2

SHA512
b05ac92bad39288fbfa6eee1cd4c2572e558ee36875d288a055d7d2c84d5deff40b848e5ec39766f8813d0e8152c5137c2f3b72e9764b3e24d78d0b970c0bfac

Download Submit
\Windows\SysWOW64\ujmobwod.exe

Filesize
255KB

MD5
89b22fa11f313cd1eec16fbf3e4f3063

SHA1
e7c184aa1af0ea88549d34491d3ee502a8b71a7a

SHA256
676f7661991b0453079bf6ff54dc1123981604a3f5868b6d16d634e180d09040

SHA512
dc4eef7fee454a0f8e6a0a57c3a30d9f293e077c213e6265c187c2cc7db75e4eddbd32a0475f728443077ff9e280aa016462609d1483de2abe6db0446a8e273e

Download Submit
\Windows\SysWOW64\ujmobwod.exe

Filesize
255KB

MD5
89b22fa11f313cd1eec16fbf3e4f3063

SHA1
e7c184aa1af0ea88549d34491d3ee502a8b71a7a

SHA256
676f7661991b0453079bf6ff54dc1123981604a3f5868b6d16d634e180d09040

SHA512
dc4eef7fee454a0f8e6a0a57c3a30d9f293e077c213e6265c187c2cc7db75e4eddbd32a0475f728443077ff9e280aa016462609d1483de2abe6db0446a8e273e

Download Submit
\Windows\SysWOW64\xulqhenvlinhszp.exe

Filesize
255KB

MD5
627dc2788c50453087f1efd614f72232

SHA1
499d3a789441a95692ed5ce32b43795f5b8fd025

SHA256
0ace8665b2cc32979ec7ab9991724cb1947fd241b316f4127eb7e932c7f82edb

SHA512
e696bc9c82c785b8e636a4f2477ebdb7a9b00b0805719ee6c7fee37fa190ba0f5cf25644e0fdcb5c0d6657e0008ceb6ee0e1f6d22ab4824c1fb766fcbeac71f6

Download Submit
memory/560-75-0x0000000002F80000-0x0000000003020000-memory.dmp

Filesize
640KB

Download
memory/560-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/560-86-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/560-58-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/560-57-0x0000000002F80000-0x0000000003020000-memory.dmp

Filesize
640KB

Download
memory/560-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/604-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/640-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/640-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1116-66-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1116-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1144-87-0x0000000072621000-0x0000000072624000-memory.dmp

Filesize
12KB

Download
memory/1144-89-0x00000000700A1000-0x00000000700A3000-memory.dmp

Filesize
8KB

Download
memory/1144-91-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1144-100-0x000000007108D000-0x0000000071098000-memory.dmp

Filesize
44KB

Download
memory/1144-94-0x000000007108D000-0x0000000071098000-memory.dmp

Filesize
44KB

Download
memory/1264-71-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1264-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1428-102-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/1524-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1524-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download