245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1

Analysis

max time kernel
158s
max time network
72s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
Size

255KB
MD5

890c6a7f31c5a3d6c62eda68b1f316e8
SHA1

10330c54bf001d0ae9ce94d911cc154f02e97e0e
SHA256

245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1
SHA512

c9d527d3316d8a64f19c0d2b5ea2bb06776b3e31bdc9473e0d2d449a95c5756f4b4c63178da2ef5b573c5f3c0e715caa6c55a01295f46beeaa93afe5a0548338
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJU:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI7

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	kmeipqyqom.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	kmeipqyqom.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	kmeipqyqom.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	kmeipqyqom.exe

Executes dropped EXE 5 IoCs

pid	Process
2024	kmeipqyqom.exe
764	bddildzssfsqkos.exe
1868	wnyjfvpz.exe
632	mssasajwbxxjv.exe
1488	wnyjfvpz.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1188-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000b0000000122f3-56.dat	upx
behavioral1/files/0x000b0000000122f3-58.dat	upx
behavioral1/files/0x000b0000000122f3-61.dat	upx
behavioral1/files/0x000a0000000122f9-60.dat	upx
behavioral1/files/0x000a0000000122f9-63.dat	upx
behavioral1/files/0x0009000000012307-65.dat	upx
behavioral1/files/0x0009000000012307-67.dat	upx
behavioral1/files/0x000800000001230b-68.dat	upx
behavioral1/files/0x000800000001230b-70.dat	upx
behavioral1/files/0x000a0000000122f9-73.dat	upx
behavioral1/files/0x0009000000012307-74.dat	upx
behavioral1/files/0x000800000001230b-75.dat	upx
behavioral1/memory/2024-78-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/764-80-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1868-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/632-82-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0009000000012307-83.dat	upx
behavioral1/files/0x0009000000012307-85.dat	upx
behavioral1/memory/1488-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1188-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2024-94-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1868-96-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/764-95-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/632-97-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1488-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00070000000131b9-109.dat	upx
behavioral1/files/0x00070000000132ee-110.dat	upx
behavioral1/files/0x000700000001334c-111.dat	upx

Loads dropped DLL 5 IoCs

pid	Process
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
2024	kmeipqyqom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	kmeipqyqom.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bddildzssfsqkos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cpntipnk = "kmeipqyqom.exe"	bddildzssfsqkos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mnaduavf = "bddildzssfsqkos.exe"	bddildzssfsqkos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mssasajwbxxjv.exe"	bddildzssfsqkos.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	kmeipqyqom.exe
File opened (read-only)	\??\f:	kmeipqyqom.exe
File opened (read-only)	\??\s:	wnyjfvpz.exe
File opened (read-only)	\??\v:	wnyjfvpz.exe
File opened (read-only)	\??\f:	wnyjfvpz.exe
File opened (read-only)	\??\y:	wnyjfvpz.exe
File opened (read-only)	\??\b:	wnyjfvpz.exe
File opened (read-only)	\??\k:	kmeipqyqom.exe
File opened (read-only)	\??\m:	kmeipqyqom.exe
File opened (read-only)	\??\z:	kmeipqyqom.exe
File opened (read-only)	\??\o:	wnyjfvpz.exe
File opened (read-only)	\??\n:	wnyjfvpz.exe
File opened (read-only)	\??\a:	wnyjfvpz.exe
File opened (read-only)	\??\h:	wnyjfvpz.exe
File opened (read-only)	\??\k:	wnyjfvpz.exe
File opened (read-only)	\??\p:	wnyjfvpz.exe
File opened (read-only)	\??\v:	kmeipqyqom.exe
File opened (read-only)	\??\q:	wnyjfvpz.exe
File opened (read-only)	\??\r:	wnyjfvpz.exe
File opened (read-only)	\??\h:	wnyjfvpz.exe
File opened (read-only)	\??\j:	wnyjfvpz.exe
File opened (read-only)	\??\l:	wnyjfvpz.exe
File opened (read-only)	\??\z:	wnyjfvpz.exe
File opened (read-only)	\??\e:	wnyjfvpz.exe
File opened (read-only)	\??\n:	wnyjfvpz.exe
File opened (read-only)	\??\q:	wnyjfvpz.exe
File opened (read-only)	\??\r:	wnyjfvpz.exe
File opened (read-only)	\??\j:	wnyjfvpz.exe
File opened (read-only)	\??\a:	kmeipqyqom.exe
File opened (read-only)	\??\k:	wnyjfvpz.exe
File opened (read-only)	\??\t:	kmeipqyqom.exe
File opened (read-only)	\??\w:	kmeipqyqom.exe
File opened (read-only)	\??\u:	wnyjfvpz.exe
File opened (read-only)	\??\x:	wnyjfvpz.exe
File opened (read-only)	\??\g:	wnyjfvpz.exe
File opened (read-only)	\??\l:	kmeipqyqom.exe
File opened (read-only)	\??\n:	kmeipqyqom.exe
File opened (read-only)	\??\t:	wnyjfvpz.exe
File opened (read-only)	\??\x:	wnyjfvpz.exe
File opened (read-only)	\??\o:	wnyjfvpz.exe
File opened (read-only)	\??\i:	wnyjfvpz.exe
File opened (read-only)	\??\y:	kmeipqyqom.exe
File opened (read-only)	\??\i:	wnyjfvpz.exe
File opened (read-only)	\??\f:	wnyjfvpz.exe
File opened (read-only)	\??\q:	kmeipqyqom.exe
File opened (read-only)	\??\a:	wnyjfvpz.exe
File opened (read-only)	\??\e:	wnyjfvpz.exe
File opened (read-only)	\??\g:	wnyjfvpz.exe
File opened (read-only)	\??\t:	wnyjfvpz.exe
File opened (read-only)	\??\p:	kmeipqyqom.exe
File opened (read-only)	\??\u:	kmeipqyqom.exe
File opened (read-only)	\??\x:	kmeipqyqom.exe
File opened (read-only)	\??\w:	wnyjfvpz.exe
File opened (read-only)	\??\g:	kmeipqyqom.exe
File opened (read-only)	\??\h:	kmeipqyqom.exe
File opened (read-only)	\??\m:	wnyjfvpz.exe
File opened (read-only)	\??\s:	wnyjfvpz.exe
File opened (read-only)	\??\u:	wnyjfvpz.exe
File opened (read-only)	\??\j:	kmeipqyqom.exe
File opened (read-only)	\??\m:	wnyjfvpz.exe
File opened (read-only)	\??\v:	wnyjfvpz.exe
File opened (read-only)	\??\r:	kmeipqyqom.exe
File opened (read-only)	\??\s:	kmeipqyqom.exe
File opened (read-only)	\??\p:	wnyjfvpz.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	kmeipqyqom.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	kmeipqyqom.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1188-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1188-77-0x0000000003390000-0x0000000003430000-memory.dmp	autoit_exe
behavioral1/memory/2024-78-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/764-80-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1868-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/632-82-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2024-87-0x00000000038A0000-0x0000000003940000-memory.dmp	autoit_exe
behavioral1/memory/1488-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1188-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2024-94-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1868-96-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/764-95-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/632-97-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1488-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kmeipqyqom.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File opened for modification	C:\Windows\SysWOW64\wnyjfvpz.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File created	C:\Windows\SysWOW64\mssasajwbxxjv.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File opened for modification	C:\Windows\SysWOW64\mssasajwbxxjv.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	kmeipqyqom.exe
File created	C:\Windows\SysWOW64\kmeipqyqom.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File created	C:\Windows\SysWOW64\bddildzssfsqkos.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File opened for modification	C:\Windows\SysWOW64\bddildzssfsqkos.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File created	C:\Windows\SysWOW64\wnyjfvpz.exe	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wnyjfvpz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wnyjfvpz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wnyjfvpz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wnyjfvpz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wnyjfvpz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wnyjfvpz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wnyjfvpz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wnyjfvpz.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	kmeipqyqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	kmeipqyqom.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	kmeipqyqom.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B15D44E739E853C8B9D433EED4CC"	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFCFCFF4F5A85699042D75F7DE6BC95E1305830664F6334D6E9"	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFAB0F910F190837C3B4581EA3E92B38C028B42120238E1C542EF09A9"	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	kmeipqyqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	kmeipqyqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	kmeipqyqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1092	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1868	wnyjfvpz.exe
1868	wnyjfvpz.exe
1868	wnyjfvpz.exe
1868	wnyjfvpz.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1724	explorer.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: 33	1500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1500	AUDIODG.EXE
Token: 33	1500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1500	AUDIODG.EXE
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	828	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe
Token: SeShutdownPrivilege	1724	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
1868	wnyjfvpz.exe
764	bddildzssfsqkos.exe
1868	wnyjfvpz.exe
1868	wnyjfvpz.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
1488	wnyjfvpz.exe
828	explorer.exe
828	explorer.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1092	WINWORD.EXE
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
2024	kmeipqyqom.exe
1868	wnyjfvpz.exe
1868	wnyjfvpz.exe
1868	wnyjfvpz.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
764	bddildzssfsqkos.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
632	mssasajwbxxjv.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
828	explorer.exe
1488	wnyjfvpz.exe
1488	wnyjfvpz.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe
1724	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1092	WINWORD.EXE
1092	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2024	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	28
PID 1188 wrote to memory of 2024	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	28
PID 1188 wrote to memory of 2024	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	28
PID 1188 wrote to memory of 2024	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	28
PID 1188 wrote to memory of 764	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	29
PID 1188 wrote to memory of 764	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	29
PID 1188 wrote to memory of 764	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	29
PID 1188 wrote to memory of 764	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	29
PID 1188 wrote to memory of 1868	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	30
PID 1188 wrote to memory of 1868	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	30
PID 1188 wrote to memory of 1868	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	30
PID 1188 wrote to memory of 1868	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	30
PID 1188 wrote to memory of 632	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	31
PID 1188 wrote to memory of 632	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	31
PID 1188 wrote to memory of 632	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	31
PID 1188 wrote to memory of 632	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	31
PID 2024 wrote to memory of 1488	2024	kmeipqyqom.exe	35
PID 2024 wrote to memory of 1488	2024	kmeipqyqom.exe	35
PID 2024 wrote to memory of 1488	2024	kmeipqyqom.exe	35
PID 2024 wrote to memory of 1488	2024	kmeipqyqom.exe	35
PID 1188 wrote to memory of 1092	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	36
PID 1188 wrote to memory of 1092	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	36
PID 1188 wrote to memory of 1092	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	36
PID 1188 wrote to memory of 1092	1188	245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe	36
PID 1092 wrote to memory of 2016	1092	WINWORD.EXE	42
PID 1092 wrote to memory of 2016	1092	WINWORD.EXE	42
PID 1092 wrote to memory of 2016	1092	WINWORD.EXE	42
PID 1092 wrote to memory of 2016	1092	WINWORD.EXE	42

C:\Users\Admin\AppData\Local\Temp\245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe
"C:\Users\Admin\AppData\Local\Temp\245ce1f8de51a44737847b5ee5c7a9868e9c65362f9beea39c2a140c2eb2f3f1.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\kmeipqyqom.exe
  kmeipqyqom.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\wnyjfvpz.exe
    C:\Windows\system32\wnyjfvpz.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1488
- C:\Windows\SysWOW64\bddildzssfsqkos.exe
  bddildzssfsqkos.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:764
- C:\Windows\SysWOW64\wnyjfvpz.exe
  wnyjfvpz.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1868
- C:\Windows\SysWOW64\mssasajwbxxjv.exe
  mssasajwbxxjv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:632
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2016

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
ce3169e6372b5254fb11a6b67da4f711

SHA1
07c32ddfed8717e0e4c97a39a99fa65a8a122dad

SHA256
384b08be7ea13f9ca7ac970db449d00f6bbaec2d7a706b7002a7ef969fa726fb

SHA512
5b0066ae2700b35583c0d01a1b112e106d471f156c8a9102dc2e529b7e8986997a73d253d87cc515fd0d1b4f51aa1229f91ce182a0ff47f9f304493da805f7d7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
41545ae5d1772c8595cfc4c029516aae

SHA1
6d51ae7159db6031e09dcc567a79465e247a4572

SHA256
52338a18c5ba88d386a2db0f568292f3d04338d520291443381189f909cb7fff

SHA512
19b2684d1a293a68ea4a5e34f61195c26a794daf266b84107dad6d5e02bdce78242ffe4ce9bc2673ef20d7a5b0d0d86dadc24588fa7dd94057a222542ec62390

Download Submit
C:\Users\Admin\Desktop\ImportConfirm.doc.exe

Filesize
255KB

MD5
6945e0915f95ae89efa587904ed93074

SHA1
ced9b50a19a1125daacfa7b6fb88f0deb23e6b46

SHA256
9b88ad2a17025398d06901bcaca62e2c3ce523e71236a1d8bca312c98b7ddf92

SHA512
bc9b265b75fdde667cb2426f4415aff6d93195b8be0019a9f80e81ccc5037b343ef818adb1d0c5d84a60691891bd38f81188c6ae83c381286bd1ae3c751c108a

Download Submit
C:\Windows\SysWOW64\bddildzssfsqkos.exe

Filesize
255KB

MD5
e25ab0d6194ad665adf49b8414c8ee0d

SHA1
9335495e5c01e55be894cf1cf06283da8b0e0a0e

SHA256
574b9a842f6648fc29db57951b75a88426b88b94ceb9ff4bcb35dc7cf9d81d0d

SHA512
1cb737e54891ff6b4d2a1a59d26fee1b76d312da263c04469606e38f686c75d4910a3702ccf04fdbfda62fcfeabaad9b745d367725d7195b171ad9f8662e125d

Download Submit
C:\Windows\SysWOW64\bddildzssfsqkos.exe

Filesize
255KB

MD5
e25ab0d6194ad665adf49b8414c8ee0d

SHA1
9335495e5c01e55be894cf1cf06283da8b0e0a0e

SHA256
574b9a842f6648fc29db57951b75a88426b88b94ceb9ff4bcb35dc7cf9d81d0d

SHA512
1cb737e54891ff6b4d2a1a59d26fee1b76d312da263c04469606e38f686c75d4910a3702ccf04fdbfda62fcfeabaad9b745d367725d7195b171ad9f8662e125d

Download Submit
C:\Windows\SysWOW64\kmeipqyqom.exe

Filesize
255KB

MD5
73fb52048c323d80b781480ad42da403

SHA1
585bc562e00bffcb6e37601983afcf4695a5e2f2

SHA256
3a00730b30e4fdbc449a9374814923044dd317e7aefcb05eee8e87317360c9ab

SHA512
438fe3bf3324e3b557c5796ce0a3a29034f59c540b35fbf41afb7599a1805d0e2e029b5c3655980f492075900f034acf760674fde142e49cc442811881f88431

Download Submit
C:\Windows\SysWOW64\kmeipqyqom.exe

Filesize
255KB

MD5
73fb52048c323d80b781480ad42da403

SHA1
585bc562e00bffcb6e37601983afcf4695a5e2f2

SHA256
3a00730b30e4fdbc449a9374814923044dd317e7aefcb05eee8e87317360c9ab

SHA512
438fe3bf3324e3b557c5796ce0a3a29034f59c540b35fbf41afb7599a1805d0e2e029b5c3655980f492075900f034acf760674fde142e49cc442811881f88431

Download Submit
C:\Windows\SysWOW64\mssasajwbxxjv.exe

Filesize
255KB

MD5
d3c10bbc89cf5f39d4a3c143ea144a1c

SHA1
53aad621ffc7d5914cd4dc16cf3ed55086d28969

SHA256
d6041fd8460830818587bd9cb2d9ccc959fcba9f4fcb92ebd93d5c3a498d7490

SHA512
ae88443577fef71192997739e13b61c379aab36416300f4daff632cda8eb21b392841ddfc32703ade3d1a0564a34674343002eab1f7c1f335c9b934aa2b729ea

Download Submit
C:\Windows\SysWOW64\mssasajwbxxjv.exe

Filesize
255KB

MD5
d3c10bbc89cf5f39d4a3c143ea144a1c

SHA1
53aad621ffc7d5914cd4dc16cf3ed55086d28969

SHA256
d6041fd8460830818587bd9cb2d9ccc959fcba9f4fcb92ebd93d5c3a498d7490

SHA512
ae88443577fef71192997739e13b61c379aab36416300f4daff632cda8eb21b392841ddfc32703ade3d1a0564a34674343002eab1f7c1f335c9b934aa2b729ea

Download Submit
C:\Windows\SysWOW64\wnyjfvpz.exe

Filesize
255KB

MD5
97550c341e2fe0e367685e582aec811d

SHA1
d66ab861a95e1ef7b3c8cf6a10425decfe9bd8e7

SHA256
a1f5b13175bfed61760a933c33175a38837b3cb069ffa1a33c1578db5cb6ee6e

SHA512
8a98471d568e9a2d015375e84af5febed35e6fc9b788b2c94f6da9da406b38f11b12bde99f2cc5935aaffd2b633693af72f04d93abb9403d33a3f613a87a8803

Download Submit
C:\Windows\SysWOW64\wnyjfvpz.exe

Filesize
255KB

MD5
97550c341e2fe0e367685e582aec811d

SHA1
d66ab861a95e1ef7b3c8cf6a10425decfe9bd8e7

SHA256
a1f5b13175bfed61760a933c33175a38837b3cb069ffa1a33c1578db5cb6ee6e

SHA512
8a98471d568e9a2d015375e84af5febed35e6fc9b788b2c94f6da9da406b38f11b12bde99f2cc5935aaffd2b633693af72f04d93abb9403d33a3f613a87a8803

Download Submit
C:\Windows\SysWOW64\wnyjfvpz.exe

Filesize
255KB

MD5
97550c341e2fe0e367685e582aec811d

SHA1
d66ab861a95e1ef7b3c8cf6a10425decfe9bd8e7

SHA256
a1f5b13175bfed61760a933c33175a38837b3cb069ffa1a33c1578db5cb6ee6e

SHA512
8a98471d568e9a2d015375e84af5febed35e6fc9b788b2c94f6da9da406b38f11b12bde99f2cc5935aaffd2b633693af72f04d93abb9403d33a3f613a87a8803

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bddildzssfsqkos.exe

Filesize
255KB

MD5
e25ab0d6194ad665adf49b8414c8ee0d

SHA1
9335495e5c01e55be894cf1cf06283da8b0e0a0e

SHA256
574b9a842f6648fc29db57951b75a88426b88b94ceb9ff4bcb35dc7cf9d81d0d

SHA512
1cb737e54891ff6b4d2a1a59d26fee1b76d312da263c04469606e38f686c75d4910a3702ccf04fdbfda62fcfeabaad9b745d367725d7195b171ad9f8662e125d

Download Submit
\Windows\SysWOW64\kmeipqyqom.exe

Filesize
255KB

MD5
73fb52048c323d80b781480ad42da403

SHA1
585bc562e00bffcb6e37601983afcf4695a5e2f2

SHA256
3a00730b30e4fdbc449a9374814923044dd317e7aefcb05eee8e87317360c9ab

SHA512
438fe3bf3324e3b557c5796ce0a3a29034f59c540b35fbf41afb7599a1805d0e2e029b5c3655980f492075900f034acf760674fde142e49cc442811881f88431

Download Submit
\Windows\SysWOW64\mssasajwbxxjv.exe

Filesize
255KB

MD5
d3c10bbc89cf5f39d4a3c143ea144a1c

SHA1
53aad621ffc7d5914cd4dc16cf3ed55086d28969

SHA256
d6041fd8460830818587bd9cb2d9ccc959fcba9f4fcb92ebd93d5c3a498d7490

SHA512
ae88443577fef71192997739e13b61c379aab36416300f4daff632cda8eb21b392841ddfc32703ade3d1a0564a34674343002eab1f7c1f335c9b934aa2b729ea

Download Submit
\Windows\SysWOW64\wnyjfvpz.exe

Filesize
255KB

MD5
97550c341e2fe0e367685e582aec811d

SHA1
d66ab861a95e1ef7b3c8cf6a10425decfe9bd8e7

SHA256
a1f5b13175bfed61760a933c33175a38837b3cb069ffa1a33c1578db5cb6ee6e

SHA512
8a98471d568e9a2d015375e84af5febed35e6fc9b788b2c94f6da9da406b38f11b12bde99f2cc5935aaffd2b633693af72f04d93abb9403d33a3f613a87a8803

Download Submit
\Windows\SysWOW64\wnyjfvpz.exe

Filesize
255KB

MD5
97550c341e2fe0e367685e582aec811d

SHA1
d66ab861a95e1ef7b3c8cf6a10425decfe9bd8e7

SHA256
a1f5b13175bfed61760a933c33175a38837b3cb069ffa1a33c1578db5cb6ee6e

SHA512
8a98471d568e9a2d015375e84af5febed35e6fc9b788b2c94f6da9da406b38f11b12bde99f2cc5935aaffd2b633693af72f04d93abb9403d33a3f613a87a8803

Download Submit
memory/632-82-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/632-97-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/764-95-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/764-80-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/828-76-0x000007FEFC231000-0x000007FEFC233000-memory.dmp

Filesize
8KB

Download
memory/1092-92-0x0000000070571000-0x0000000070573000-memory.dmp

Filesize
8KB

Download
memory/1092-103-0x000000007155D000-0x0000000071568000-memory.dmp

Filesize
44KB

Download
memory/1092-101-0x000000006BB11000-0x000000006BB13000-memory.dmp

Filesize
8KB

Download
memory/1092-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1092-105-0x000000007155D000-0x0000000071568000-memory.dmp

Filesize
44KB

Download
memory/1092-106-0x000000006B9E1000-0x000000006B9E3000-memory.dmp

Filesize
8KB

Download
memory/1092-91-0x0000000072AF1000-0x0000000072AF4000-memory.dmp

Filesize
12KB

Download
memory/1188-79-0x0000000003390000-0x0000000003430000-memory.dmp

Filesize
640KB

Download
memory/1188-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1188-77-0x0000000003390000-0x0000000003430000-memory.dmp

Filesize
640KB

Download
memory/1188-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1188-54-0x0000000076691000-0x0000000076693000-memory.dmp

Filesize
8KB

Download
memory/1488-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1488-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1724-93-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

Filesize
8KB

Download
memory/1724-112-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1868-96-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1868-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2024-94-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2024-87-0x00000000038A0000-0x0000000003940000-memory.dmp

Filesize
640KB

Download
memory/2024-78-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download