55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21

Analysis

max time kernel
153s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
Size

255KB
MD5

7918565ccd637d96a24b00726bd7646f
SHA1

c5f3ee09d8365c5be1609f61c6c4b6f7627ddbf8
SHA256

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21
SHA512

4ac7823e403a117bf37ba563bf0fdcc091a9d7a8568f7df3a5e983f3fcff2c90ac0a6f4d5cc1837fe8eca75ce6050e77f7a160632e4fc9564e1c0d27693dffde
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJg:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI1

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

sdrqejoxcj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	sdrqejoxcj.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

sdrqejoxcj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sdrqejoxcj.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sdrqejoxcj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sdrqejoxcj.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

sdrqejoxcj.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sdrqejoxcj.exe

Executes dropped EXE 6 IoCs

Processes:

sdrqejoxcj.exejfgnoizkjskpzeq.exewazpvkgf.exemtfbueqaetxuu.exemtfbueqaetxuu.exewazpvkgf.exe

pid process

1520 sdrqejoxcj.exe
1208 jfgnoizkjskpzeq.exe
1764 wazpvkgf.exe
1984 mtfbueqaetxuu.exe
1620 mtfbueqaetxuu.exe
1676 wazpvkgf.exe

pid	process
1520	sdrqejoxcj.exe
1208	jfgnoizkjskpzeq.exe
1764	wazpvkgf.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1676	wazpvkgf.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1756-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
\Windows\SysWOW64\sdrqejoxcj.exe	upx
\Windows\SysWOW64\jfgnoizkjskpzeq.exe	upx
C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe	upx
C:\Windows\SysWOW64\sdrqejoxcj.exe	upx
\Windows\SysWOW64\wazpvkgf.exe	upx
C:\Windows\SysWOW64\sdrqejoxcj.exe	upx
C:\Windows\SysWOW64\wazpvkgf.exe	upx
C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe	upx
C:\Windows\SysWOW64\wazpvkgf.exe	upx
\Windows\SysWOW64\mtfbueqaetxuu.exe	upx
C:\Windows\SysWOW64\mtfbueqaetxuu.exe	upx
C:\Windows\SysWOW64\mtfbueqaetxuu.exe	upx
\Windows\SysWOW64\mtfbueqaetxuu.exe	upx
C:\Windows\SysWOW64\mtfbueqaetxuu.exe	upx
\Windows\SysWOW64\wazpvkgf.exe	upx
C:\Windows\SysWOW64\wazpvkgf.exe	upx
behavioral1/memory/1520-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1208-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1764-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1984-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1620-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1676-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1756-92-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1520-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1208-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1764-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1984-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1620-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1676-98-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1756-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	upx
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	upx

Loads dropped DLL 6 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.execmd.exesdrqejoxcj.exe

pid	process
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
2036	cmd.exe
1520	sdrqejoxcj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sdrqejoxcj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	sdrqejoxcj.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jfgnoizkjskpzeq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mtfbueqaetxuu.exe"	jfgnoizkjskpzeq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jfgnoizkjskpzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zxzyikai = "sdrqejoxcj.exe"	jfgnoizkjskpzeq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xtywyjsl = "jfgnoizkjskpzeq.exe"	jfgnoizkjskpzeq.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wazpvkgf.exesdrqejoxcj.exewazpvkgf.exe

description	ioc	process
File opened (read-only)	\??\a:	wazpvkgf.exe
File opened (read-only)	\??\b:	wazpvkgf.exe
File opened (read-only)	\??\m:	wazpvkgf.exe
File opened (read-only)	\??\a:	sdrqejoxcj.exe
File opened (read-only)	\??\e:	sdrqejoxcj.exe
File opened (read-only)	\??\s:	wazpvkgf.exe
File opened (read-only)	\??\y:	wazpvkgf.exe
File opened (read-only)	\??\j:	wazpvkgf.exe
File opened (read-only)	\??\p:	wazpvkgf.exe
File opened (read-only)	\??\k:	wazpvkgf.exe
File opened (read-only)	\??\k:	wazpvkgf.exe
File opened (read-only)	\??\w:	wazpvkgf.exe
File opened (read-only)	\??\i:	wazpvkgf.exe
File opened (read-only)	\??\o:	wazpvkgf.exe
File opened (read-only)	\??\m:	sdrqejoxcj.exe
File opened (read-only)	\??\n:	sdrqejoxcj.exe
File opened (read-only)	\??\s:	sdrqejoxcj.exe
File opened (read-only)	\??\b:	sdrqejoxcj.exe
File opened (read-only)	\??\f:	sdrqejoxcj.exe
File opened (read-only)	\??\p:	sdrqejoxcj.exe
File opened (read-only)	\??\x:	wazpvkgf.exe
File opened (read-only)	\??\x:	wazpvkgf.exe
File opened (read-only)	\??\m:	wazpvkgf.exe
File opened (read-only)	\??\e:	wazpvkgf.exe
File opened (read-only)	\??\f:	wazpvkgf.exe
File opened (read-only)	\??\u:	wazpvkgf.exe
File opened (read-only)	\??\h:	sdrqejoxcj.exe
File opened (read-only)	\??\l:	sdrqejoxcj.exe
File opened (read-only)	\??\v:	sdrqejoxcj.exe
File opened (read-only)	\??\w:	sdrqejoxcj.exe
File opened (read-only)	\??\v:	wazpvkgf.exe
File opened (read-only)	\??\i:	sdrqejoxcj.exe
File opened (read-only)	\??\u:	sdrqejoxcj.exe
File opened (read-only)	\??\e:	wazpvkgf.exe
File opened (read-only)	\??\q:	wazpvkgf.exe
File opened (read-only)	\??\z:	wazpvkgf.exe
File opened (read-only)	\??\t:	wazpvkgf.exe
File opened (read-only)	\??\s:	wazpvkgf.exe
File opened (read-only)	\??\z:	wazpvkgf.exe
File opened (read-only)	\??\j:	sdrqejoxcj.exe
File opened (read-only)	\??\y:	sdrqejoxcj.exe
File opened (read-only)	\??\b:	wazpvkgf.exe
File opened (read-only)	\??\i:	wazpvkgf.exe
File opened (read-only)	\??\l:	wazpvkgf.exe
File opened (read-only)	\??\r:	wazpvkgf.exe
File opened (read-only)	\??\o:	sdrqejoxcj.exe
File opened (read-only)	\??\q:	sdrqejoxcj.exe
File opened (read-only)	\??\f:	wazpvkgf.exe
File opened (read-only)	\??\v:	wazpvkgf.exe
File opened (read-only)	\??\q:	wazpvkgf.exe
File opened (read-only)	\??\u:	wazpvkgf.exe
File opened (read-only)	\??\p:	wazpvkgf.exe
File opened (read-only)	\??\x:	sdrqejoxcj.exe
File opened (read-only)	\??\z:	sdrqejoxcj.exe
File opened (read-only)	\??\g:	wazpvkgf.exe
File opened (read-only)	\??\k:	sdrqejoxcj.exe
File opened (read-only)	\??\h:	wazpvkgf.exe
File opened (read-only)	\??\h:	wazpvkgf.exe
File opened (read-only)	\??\n:	wazpvkgf.exe
File opened (read-only)	\??\t:	wazpvkgf.exe
File opened (read-only)	\??\r:	sdrqejoxcj.exe
File opened (read-only)	\??\g:	wazpvkgf.exe
File opened (read-only)	\??\l:	wazpvkgf.exe
File opened (read-only)	\??\w:	wazpvkgf.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

sdrqejoxcj.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	sdrqejoxcj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	sdrqejoxcj.exe

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/1756-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1520-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1208-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1764-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1984-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1620-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1676-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1756-92-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1520-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1208-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1764-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1984-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1620-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1676-98-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1756-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exesdrqejoxcj.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File opened for modification	C:\Windows\SysWOW64\mtfbueqaetxuu.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	sdrqejoxcj.exe
File created	C:\Windows\SysWOW64\sdrqejoxcj.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File created	C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File created	C:\Windows\SysWOW64\wazpvkgf.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File opened for modification	C:\Windows\SysWOW64\wazpvkgf.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File created	C:\Windows\SysWOW64\mtfbueqaetxuu.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File opened for modification	C:\Windows\SysWOW64\sdrqejoxcj.exe	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe

Drops file in Program Files directory 15 IoCs

Processes:

wazpvkgf.exewazpvkgf.exe

description	ioc	process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wazpvkgf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wazpvkgf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wazpvkgf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wazpvkgf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wazpvkgf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wazpvkgf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wazpvkgf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wazpvkgf.exe

Drops file in Windows directory 5 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exeWINWORD.EXE

description	ioc	process
File opened for modification	C:\Windows\mydoc.rtf	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXEsdrqejoxcj.exe55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	sdrqejoxcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	sdrqejoxcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFC8348268513903DD75B7E94BD97E1375843664F6244D691"	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08068C4FF6E22D1D279D0A58A789163"	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	sdrqejoxcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1744 WINWORD.EXE

pid	process
1744	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exejfgnoizkjskpzeq.exesdrqejoxcj.exewazpvkgf.exemtfbueqaetxuu.exemtfbueqaetxuu.exewazpvkgf.exe

pid	process
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1520	sdrqejoxcj.exe
1520	sdrqejoxcj.exe
1520	sdrqejoxcj.exe
1520	sdrqejoxcj.exe
1520	sdrqejoxcj.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1208	jfgnoizkjskpzeq.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1208	jfgnoizkjskpzeq.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1208	jfgnoizkjskpzeq.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1208	jfgnoizkjskpzeq.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exesdrqejoxcj.exejfgnoizkjskpzeq.exewazpvkgf.exemtfbueqaetxuu.exemtfbueqaetxuu.exewazpvkgf.exe

pid	process
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1520	sdrqejoxcj.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1520	sdrqejoxcj.exe
1520	sdrqejoxcj.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe

Suspicious use of SendNotifyMessage 21 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exesdrqejoxcj.exejfgnoizkjskpzeq.exewazpvkgf.exemtfbueqaetxuu.exemtfbueqaetxuu.exewazpvkgf.exe

pid	process
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
1520	sdrqejoxcj.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1208	jfgnoizkjskpzeq.exe
1520	sdrqejoxcj.exe
1520	sdrqejoxcj.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1764	wazpvkgf.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1984	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1620	mtfbueqaetxuu.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe
1676	wazpvkgf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1744 WINWORD.EXE
1744 WINWORD.EXE

pid	process
1744	WINWORD.EXE
1744	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exejfgnoizkjskpzeq.execmd.exesdrqejoxcj.exeWINWORD.EXE

description	pid	process	target process
PID 1756 wrote to memory of 1520	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	sdrqejoxcj.exe
PID 1756 wrote to memory of 1520	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	sdrqejoxcj.exe
PID 1756 wrote to memory of 1520	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	sdrqejoxcj.exe
PID 1756 wrote to memory of 1520	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	sdrqejoxcj.exe
PID 1756 wrote to memory of 1208	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	jfgnoizkjskpzeq.exe
PID 1756 wrote to memory of 1208	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	jfgnoizkjskpzeq.exe
PID 1756 wrote to memory of 1208	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	jfgnoizkjskpzeq.exe
PID 1756 wrote to memory of 1208	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	jfgnoizkjskpzeq.exe
PID 1756 wrote to memory of 1764	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	wazpvkgf.exe
PID 1756 wrote to memory of 1764	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	wazpvkgf.exe
PID 1756 wrote to memory of 1764	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	wazpvkgf.exe
PID 1756 wrote to memory of 1764	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	wazpvkgf.exe
PID 1208 wrote to memory of 2036	1208	jfgnoizkjskpzeq.exe	cmd.exe
PID 1208 wrote to memory of 2036	1208	jfgnoizkjskpzeq.exe	cmd.exe
PID 1208 wrote to memory of 2036	1208	jfgnoizkjskpzeq.exe	cmd.exe
PID 1208 wrote to memory of 2036	1208	jfgnoizkjskpzeq.exe	cmd.exe
PID 1756 wrote to memory of 1984	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	mtfbueqaetxuu.exe
PID 1756 wrote to memory of 1984	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	mtfbueqaetxuu.exe
PID 1756 wrote to memory of 1984	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	mtfbueqaetxuu.exe
PID 1756 wrote to memory of 1984	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	mtfbueqaetxuu.exe
PID 2036 wrote to memory of 1620	2036	cmd.exe	mtfbueqaetxuu.exe
PID 2036 wrote to memory of 1620	2036	cmd.exe	mtfbueqaetxuu.exe
PID 2036 wrote to memory of 1620	2036	cmd.exe	mtfbueqaetxuu.exe
PID 2036 wrote to memory of 1620	2036	cmd.exe	mtfbueqaetxuu.exe
PID 1520 wrote to memory of 1676	1520	sdrqejoxcj.exe	wazpvkgf.exe
PID 1520 wrote to memory of 1676	1520	sdrqejoxcj.exe	wazpvkgf.exe
PID 1520 wrote to memory of 1676	1520	sdrqejoxcj.exe	wazpvkgf.exe
PID 1520 wrote to memory of 1676	1520	sdrqejoxcj.exe	wazpvkgf.exe
PID 1756 wrote to memory of 1744	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	WINWORD.EXE
PID 1756 wrote to memory of 1744	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	WINWORD.EXE
PID 1756 wrote to memory of 1744	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	WINWORD.EXE
PID 1756 wrote to memory of 1744	1756	55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe	WINWORD.EXE
PID 1744 wrote to memory of 1632	1744	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 1632	1744	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 1632	1744	WINWORD.EXE	splwow64.exe
PID 1744 wrote to memory of 1632	1744	WINWORD.EXE	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe
"C:\Users\Admin\AppData\Local\Temp\55f9badb3207ed1867a1da4721c65f4dc284cd4a49968266e530e52b84b2ef21.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\sdrqejoxcj.exe
sdrqejoxcj.exe
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\wazpvkgf.exe
C:\Windows\system32\wazpvkgf.exe
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1676

C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe
jfgnoizkjskpzeq.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c mtfbueqaetxuu.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\mtfbueqaetxuu.exe
mtfbueqaetxuu.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620

C:\Windows\SysWOW64\wazpvkgf.exe
wazpvkgf.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1764

C:\Windows\SysWOW64\mtfbueqaetxuu.exe
mtfbueqaetxuu.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
f315ba9086620b020fdbc866f4026218

SHA1
a5b909deb59da749a0a477fa7003a1f2340cce99

SHA256
6a2e3cabd9048c106a35f64a26d7ee61ee29f3fe75babe1ca211123cc5d47f81

SHA512
a02ad97415b5f43d419b733dd014f5b494ad574cb366da138315e005b5062a94b21c7ed1879c2a822b97b722c081be5122e7d2109ea988769fb8cb621a1143fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
1b3ff3c14735e78561d9d1c2ea0bb22a

SHA1
fc1c88f23cfe2e122e84b9ccf5dde7552ac089f7

SHA256
4edc99c7caacf87bb7f3806e2c4f82c9f2088e2147efc51e36dd60e4a8720bd9

SHA512
dbe0878bb3af2076692a2d4309f5e4845f1fa9ffac8ac21909865e5b7d754348449da7434306dc568f484d49b0cb90df993e8f3821588770a081f85d43d4629e

Download Submit
C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe

Filesize
255KB

MD5
4136933e5f922143d0baf87074910757

SHA1
4824590a8f44ef0e463d5f47f2a1ea1e24baaf76

SHA256
087ffcdf83542f375d93e1f42b36a8f58cb6576b467bc6aed1dd61229a5dde90

SHA512
01700aba153ae211f0cac54247f3448550290d21bc58ecc81daab4abfb84aa065a4207c7a2c8bca0237ca77ae788e0d2f82d6d727654d3ed073c382ebf2940b9

Download Submit
C:\Windows\SysWOW64\jfgnoizkjskpzeq.exe

Filesize
255KB

MD5
4136933e5f922143d0baf87074910757

SHA1
4824590a8f44ef0e463d5f47f2a1ea1e24baaf76

SHA256
087ffcdf83542f375d93e1f42b36a8f58cb6576b467bc6aed1dd61229a5dde90

SHA512
01700aba153ae211f0cac54247f3448550290d21bc58ecc81daab4abfb84aa065a4207c7a2c8bca0237ca77ae788e0d2f82d6d727654d3ed073c382ebf2940b9

Download Submit
C:\Windows\SysWOW64\mtfbueqaetxuu.exe

Filesize
255KB

MD5
dd3e13941b408e3f9b175ae298ebed0f

SHA1
1bc5d53d256c3b2a20df5788a06192b80cefb512

SHA256
048783fdb6e2e04ef554916ff021016667da22b878b2f237b24bbc7b8a0a5a91

SHA512
5108577e1282c0816cd2f28d3fa199b1c2756ee816053f48767385719b095c2340f57a70b3905c492be57ff63f03ebb44211ad0bb52dcb463d29858484512f33

Download Submit
C:\Windows\SysWOW64\mtfbueqaetxuu.exe

Filesize
255KB

MD5
dd3e13941b408e3f9b175ae298ebed0f

SHA1
1bc5d53d256c3b2a20df5788a06192b80cefb512

SHA256
048783fdb6e2e04ef554916ff021016667da22b878b2f237b24bbc7b8a0a5a91

SHA512
5108577e1282c0816cd2f28d3fa199b1c2756ee816053f48767385719b095c2340f57a70b3905c492be57ff63f03ebb44211ad0bb52dcb463d29858484512f33

Download Submit
C:\Windows\SysWOW64\mtfbueqaetxuu.exe

Filesize
255KB

MD5
dd3e13941b408e3f9b175ae298ebed0f

SHA1
1bc5d53d256c3b2a20df5788a06192b80cefb512

SHA256
048783fdb6e2e04ef554916ff021016667da22b878b2f237b24bbc7b8a0a5a91

SHA512
5108577e1282c0816cd2f28d3fa199b1c2756ee816053f48767385719b095c2340f57a70b3905c492be57ff63f03ebb44211ad0bb52dcb463d29858484512f33

Download Submit
C:\Windows\SysWOW64\sdrqejoxcj.exe

Filesize
255KB

MD5
a87643318582049d2aa1de8aad0e9544

SHA1
0799e58d97ca3a90d0d381a63c927d044a36230b

SHA256
2219d7cccb5ecdc68ffc77037a9aa4a1b1c8e0e54d62cb28265766cc2acbb958

SHA512
19a29cb57b7fdfb4bfe4cc48b9b1f178a1d942fa114168ce6e342649eb27e0aa2e8629df2a549e413740345687c0a3b1fc40b15fb4f2545891c7b4c0a54d04eb

Download Submit
C:\Windows\SysWOW64\sdrqejoxcj.exe

Filesize
255KB

MD5
a87643318582049d2aa1de8aad0e9544

SHA1
0799e58d97ca3a90d0d381a63c927d044a36230b

SHA256
2219d7cccb5ecdc68ffc77037a9aa4a1b1c8e0e54d62cb28265766cc2acbb958

SHA512
19a29cb57b7fdfb4bfe4cc48b9b1f178a1d942fa114168ce6e342649eb27e0aa2e8629df2a549e413740345687c0a3b1fc40b15fb4f2545891c7b4c0a54d04eb

Download Submit
C:\Windows\SysWOW64\wazpvkgf.exe

Filesize
255KB

MD5
1ffd921be88ebfdaed5af7078396584f

SHA1
008ef09fc335f6b9577b22b918e16ae371173cfd

SHA256
975b62d25ebf991dda9534b2d5ca54b321eb8751e47608e2e527f875ac79a486

SHA512
094eb1de50386b37db3d0c4bac75222311a4246551af0b247f9f1df9cfc022ae235eb9eae98e7d84ae5ea2eff743a9bf8eedd6e104f8bce2ee992f4bebe07bd9

Download Submit
C:\Windows\SysWOW64\wazpvkgf.exe

Filesize
255KB

MD5
1ffd921be88ebfdaed5af7078396584f

SHA1
008ef09fc335f6b9577b22b918e16ae371173cfd

SHA256
975b62d25ebf991dda9534b2d5ca54b321eb8751e47608e2e527f875ac79a486

SHA512
094eb1de50386b37db3d0c4bac75222311a4246551af0b247f9f1df9cfc022ae235eb9eae98e7d84ae5ea2eff743a9bf8eedd6e104f8bce2ee992f4bebe07bd9

Download Submit
C:\Windows\SysWOW64\wazpvkgf.exe

Filesize
255KB

MD5
1ffd921be88ebfdaed5af7078396584f

SHA1
008ef09fc335f6b9577b22b918e16ae371173cfd

SHA256
975b62d25ebf991dda9534b2d5ca54b321eb8751e47608e2e527f875ac79a486

SHA512
094eb1de50386b37db3d0c4bac75222311a4246551af0b247f9f1df9cfc022ae235eb9eae98e7d84ae5ea2eff743a9bf8eedd6e104f8bce2ee992f4bebe07bd9

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\jfgnoizkjskpzeq.exe

Filesize
255KB

MD5
4136933e5f922143d0baf87074910757

SHA1
4824590a8f44ef0e463d5f47f2a1ea1e24baaf76

SHA256
087ffcdf83542f375d93e1f42b36a8f58cb6576b467bc6aed1dd61229a5dde90

SHA512
01700aba153ae211f0cac54247f3448550290d21bc58ecc81daab4abfb84aa065a4207c7a2c8bca0237ca77ae788e0d2f82d6d727654d3ed073c382ebf2940b9

Download Submit
\Windows\SysWOW64\mtfbueqaetxuu.exe

Filesize
255KB

MD5
dd3e13941b408e3f9b175ae298ebed0f

SHA1
1bc5d53d256c3b2a20df5788a06192b80cefb512

SHA256
048783fdb6e2e04ef554916ff021016667da22b878b2f237b24bbc7b8a0a5a91

SHA512
5108577e1282c0816cd2f28d3fa199b1c2756ee816053f48767385719b095c2340f57a70b3905c492be57ff63f03ebb44211ad0bb52dcb463d29858484512f33

Download Submit
\Windows\SysWOW64\mtfbueqaetxuu.exe

Filesize
255KB

MD5
dd3e13941b408e3f9b175ae298ebed0f

SHA1
1bc5d53d256c3b2a20df5788a06192b80cefb512

SHA256
048783fdb6e2e04ef554916ff021016667da22b878b2f237b24bbc7b8a0a5a91

SHA512
5108577e1282c0816cd2f28d3fa199b1c2756ee816053f48767385719b095c2340f57a70b3905c492be57ff63f03ebb44211ad0bb52dcb463d29858484512f33

Download Submit
\Windows\SysWOW64\sdrqejoxcj.exe

Filesize
255KB

MD5
a87643318582049d2aa1de8aad0e9544

SHA1
0799e58d97ca3a90d0d381a63c927d044a36230b

SHA256
2219d7cccb5ecdc68ffc77037a9aa4a1b1c8e0e54d62cb28265766cc2acbb958

SHA512
19a29cb57b7fdfb4bfe4cc48b9b1f178a1d942fa114168ce6e342649eb27e0aa2e8629df2a549e413740345687c0a3b1fc40b15fb4f2545891c7b4c0a54d04eb

Download Submit
\Windows\SysWOW64\wazpvkgf.exe

Filesize
255KB

MD5
1ffd921be88ebfdaed5af7078396584f

SHA1
008ef09fc335f6b9577b22b918e16ae371173cfd

SHA256
975b62d25ebf991dda9534b2d5ca54b321eb8751e47608e2e527f875ac79a486

SHA512
094eb1de50386b37db3d0c4bac75222311a4246551af0b247f9f1df9cfc022ae235eb9eae98e7d84ae5ea2eff743a9bf8eedd6e104f8bce2ee992f4bebe07bd9

Download Submit
\Windows\SysWOW64\wazpvkgf.exe

Filesize
255KB

MD5
1ffd921be88ebfdaed5af7078396584f

SHA1
008ef09fc335f6b9577b22b918e16ae371173cfd

SHA256
975b62d25ebf991dda9534b2d5ca54b321eb8751e47608e2e527f875ac79a486

SHA512
094eb1de50386b37db3d0c4bac75222311a4246551af0b247f9f1df9cfc022ae235eb9eae98e7d84ae5ea2eff743a9bf8eedd6e104f8bce2ee992f4bebe07bd9

Download Submit
memory/1208-61-0x0000000000000000-mapping.dmp

Download
memory/1208-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1208-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1520-57-0x0000000000000000-mapping.dmp

Download
memory/1520-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1520-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1620-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1620-78-0x0000000000000000-mapping.dmp

Download
memory/1620-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1632-109-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1632-108-0x0000000000000000-mapping.dmp

Download
memory/1676-82-0x0000000000000000-mapping.dmp

Download
memory/1676-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1676-98-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1744-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1744-107-0x0000000070CED000-0x0000000070CF8000-memory.dmp

Filesize
44KB

Download
memory/1744-105-0x0000000070CED000-0x0000000070CF8000-memory.dmp

Filesize
44KB

Download
memory/1744-102-0x000000006FD01000-0x000000006FD03000-memory.dmp

Filesize
8KB

Download
memory/1744-101-0x0000000072281000-0x0000000072284000-memory.dmp

Filesize
12KB

Download
memory/1744-99-0x0000000000000000-mapping.dmp

Download
memory/1756-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1756-86-0x00000000033A0000-0x0000000003440000-memory.dmp

Filesize
640KB

Download
memory/1756-92-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1756-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1756-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1764-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1764-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1764-65-0x0000000000000000-mapping.dmp

Download
memory/1984-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1984-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1984-73-0x0000000000000000-mapping.dmp

Download
memory/2036-72-0x0000000000000000-mapping.dmp

Download