8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
Size

255KB
MD5

79a6fe42576922b7fc950809bdaa3b9d
SHA1

96298b68c1242ef6c489b98b55caeb7b64c3f0a7
SHA256

8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a
SHA512

2522fb0a084cab2be12cc926b9ad898a8c7755d28677a469a1dfd3dfb56d8d91c68441dcb3ee1eede17648b4fe8a9b47ea559939d7eea01fec385b834ba1cdf1
SSDEEP

3072:MMDb50WrZa8jCgae5+VQkGdUQFDxePZ2SBaQJXkNRtXlNGKaUIQW/qlQBG3mmTJd:1xlZam+akqx6YQJXcNlEHUIQeE3mmBIc

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wquqqwmmup.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wquqqwmmup.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wquqqwmmup.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wquqqwmmup.exe

Executes dropped EXE 5 IoCs

pid	Process
1388	wquqqwmmup.exe
1232	bbdiynghnxthqop.exe
1228	acjrxajx.exe
1716	inebnpttkslpw.exe
684	acjrxajx.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/memory/1896-56-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1896-57-0x0000000002EE0000-0x0000000002F80000-memory.dmp	upx
behavioral1/files/0x00140000000054ab-59.dat	upx
behavioral1/files/0x0009000000013300-60.dat	upx
behavioral1/files/0x0009000000013300-63.dat	upx
behavioral1/files/0x00140000000054ab-64.dat	upx
behavioral1/files/0x0007000000013494-66.dat	upx
behavioral1/files/0x00070000000136c7-70.dat	upx
behavioral1/files/0x0007000000013494-68.dat	upx
behavioral1/files/0x00070000000136c7-72.dat	upx
behavioral1/files/0x0007000000013494-73.dat	upx
behavioral1/files/0x0009000000013300-75.dat	upx
behavioral1/files/0x00070000000136c7-76.dat	upx
behavioral1/files/0x0007000000013494-77.dat	upx
behavioral1/files/0x0007000000013494-79.dat	upx
behavioral1/memory/1388-81-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1232-83-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1228-84-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x00020000000001bf-85.dat	upx
behavioral1/memory/1716-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/684-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1896-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000600000001449b-98.dat	upx
behavioral1/files/0x000600000001449b-99.dat	upx
behavioral1/memory/1388-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1232-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1228-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1716-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/684-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1388	wquqqwmmup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wquqqwmmup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	bbdiynghnxthqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gocxpbwo = "wquqqwmmup.exe"	bbdiynghnxthqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hcfqrzfl = "bbdiynghnxthqop.exe"	bbdiynghnxthqop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "inebnpttkslpw.exe"	bbdiynghnxthqop.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	wquqqwmmup.exe
File opened (read-only)	\??\k:	wquqqwmmup.exe
File opened (read-only)	\??\n:	acjrxajx.exe
File opened (read-only)	\??\q:	acjrxajx.exe
File opened (read-only)	\??\h:	acjrxajx.exe
File opened (read-only)	\??\v:	acjrxajx.exe
File opened (read-only)	\??\b:	wquqqwmmup.exe
File opened (read-only)	\??\p:	wquqqwmmup.exe
File opened (read-only)	\??\z:	wquqqwmmup.exe
File opened (read-only)	\??\n:	acjrxajx.exe
File opened (read-only)	\??\f:	wquqqwmmup.exe
File opened (read-only)	\??\g:	acjrxajx.exe
File opened (read-only)	\??\a:	acjrxajx.exe
File opened (read-only)	\??\b:	acjrxajx.exe
File opened (read-only)	\??\m:	acjrxajx.exe
File opened (read-only)	\??\x:	wquqqwmmup.exe
File opened (read-only)	\??\b:	acjrxajx.exe
File opened (read-only)	\??\f:	acjrxajx.exe
File opened (read-only)	\??\h:	acjrxajx.exe
File opened (read-only)	\??\u:	acjrxajx.exe
File opened (read-only)	\??\r:	acjrxajx.exe
File opened (read-only)	\??\n:	wquqqwmmup.exe
File opened (read-only)	\??\q:	wquqqwmmup.exe
File opened (read-only)	\??\v:	acjrxajx.exe
File opened (read-only)	\??\q:	acjrxajx.exe
File opened (read-only)	\??\x:	acjrxajx.exe
File opened (read-only)	\??\m:	wquqqwmmup.exe
File opened (read-only)	\??\g:	wquqqwmmup.exe
File opened (read-only)	\??\z:	acjrxajx.exe
File opened (read-only)	\??\l:	acjrxajx.exe
File opened (read-only)	\??\s:	acjrxajx.exe
File opened (read-only)	\??\w:	acjrxajx.exe
File opened (read-only)	\??\i:	acjrxajx.exe
File opened (read-only)	\??\o:	acjrxajx.exe
File opened (read-only)	\??\t:	acjrxajx.exe
File opened (read-only)	\??\e:	wquqqwmmup.exe
File opened (read-only)	\??\i:	wquqqwmmup.exe
File opened (read-only)	\??\l:	wquqqwmmup.exe
File opened (read-only)	\??\i:	acjrxajx.exe
File opened (read-only)	\??\j:	acjrxajx.exe
File opened (read-only)	\??\k:	acjrxajx.exe
File opened (read-only)	\??\s:	acjrxajx.exe
File opened (read-only)	\??\z:	acjrxajx.exe
File opened (read-only)	\??\t:	acjrxajx.exe
File opened (read-only)	\??\m:	acjrxajx.exe
File opened (read-only)	\??\f:	acjrxajx.exe
File opened (read-only)	\??\g:	acjrxajx.exe
File opened (read-only)	\??\h:	wquqqwmmup.exe
File opened (read-only)	\??\u:	wquqqwmmup.exe
File opened (read-only)	\??\y:	wquqqwmmup.exe
File opened (read-only)	\??\e:	acjrxajx.exe
File opened (read-only)	\??\r:	acjrxajx.exe
File opened (read-only)	\??\x:	acjrxajx.exe
File opened (read-only)	\??\e:	acjrxajx.exe
File opened (read-only)	\??\w:	acjrxajx.exe
File opened (read-only)	\??\r:	wquqqwmmup.exe
File opened (read-only)	\??\k:	acjrxajx.exe
File opened (read-only)	\??\o:	acjrxajx.exe
File opened (read-only)	\??\y:	acjrxajx.exe
File opened (read-only)	\??\o:	wquqqwmmup.exe
File opened (read-only)	\??\s:	wquqqwmmup.exe
File opened (read-only)	\??\w:	wquqqwmmup.exe
File opened (read-only)	\??\p:	acjrxajx.exe
File opened (read-only)	\??\u:	acjrxajx.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	wquqqwmmup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	wquqqwmmup.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1896-56-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1388-81-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1232-83-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1228-84-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1896-86-0x0000000002EE0000-0x0000000002F80000-memory.dmp	autoit_exe
behavioral1/memory/1716-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/684-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1896-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1388-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1232-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1228-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1716-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/684-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inebnpttkslpw.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File opened for modification	C:\Windows\SysWOW64\inebnpttkslpw.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File opened for modification	C:\Windows\SysWOW64\wquqqwmmup.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File created	C:\Windows\SysWOW64\bbdiynghnxthqop.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File opened for modification	C:\Windows\SysWOW64\bbdiynghnxthqop.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File created	C:\Windows\SysWOW64\acjrxajx.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File opened for modification	C:\Windows\SysWOW64\acjrxajx.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	wquqqwmmup.exe
File created	C:\Windows\SysWOW64\wquqqwmmup.exe	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files\InstallApprove.doc.exe	acjrxajx.exe
File opened for modification	C:\Program Files\InstallApprove.doc.exe	acjrxajx.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	acjrxajx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	acjrxajx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	acjrxajx.exe
File created	\??\c:\Program Files\InstallApprove.doc.exe	acjrxajx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files\InstallApprove.nal	acjrxajx.exe
File opened for modification	\??\c:\Program Files\InstallApprove.doc.exe	acjrxajx.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	acjrxajx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	acjrxajx.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	acjrxajx.exe
File opened for modification	\??\c:\Program Files\InstallApprove.doc.exe	acjrxajx.exe
File opened for modification	C:\Program Files\InstallApprove.nal	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	acjrxajx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	acjrxajx.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEFACDF910F19084793B30869C3999B08103FC42130348E2CF42EF09D1"	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	wquqqwmmup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	wquqqwmmup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C60B15E4DBC5B9BD7F97EDE334BE"	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1556	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1228	acjrxajx.exe
1228	acjrxajx.exe
1228	acjrxajx.exe
1228	acjrxajx.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
684	acjrxajx.exe
684	acjrxajx.exe
684	acjrxajx.exe
684	acjrxajx.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1232	bbdiynghnxthqop.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1228	acjrxajx.exe
1228	acjrxajx.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1228	acjrxajx.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
684	acjrxajx.exe
684	acjrxajx.exe
684	acjrxajx.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1388	wquqqwmmup.exe
1228	acjrxajx.exe
1228	acjrxajx.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1232	bbdiynghnxthqop.exe
1228	acjrxajx.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
1716	inebnpttkslpw.exe
684	acjrxajx.exe
684	acjrxajx.exe
684	acjrxajx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1556	WINWORD.EXE
1556	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1388	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	28
PID 1896 wrote to memory of 1388	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	28
PID 1896 wrote to memory of 1388	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	28
PID 1896 wrote to memory of 1388	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	28
PID 1896 wrote to memory of 1232	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	29
PID 1896 wrote to memory of 1232	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	29
PID 1896 wrote to memory of 1232	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	29
PID 1896 wrote to memory of 1232	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	29
PID 1896 wrote to memory of 1228	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	30
PID 1896 wrote to memory of 1228	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	30
PID 1896 wrote to memory of 1228	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	30
PID 1896 wrote to memory of 1228	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	30
PID 1896 wrote to memory of 1716	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	31
PID 1896 wrote to memory of 1716	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	31
PID 1896 wrote to memory of 1716	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	31
PID 1896 wrote to memory of 1716	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	31
PID 1388 wrote to memory of 684	1388	wquqqwmmup.exe	32
PID 1388 wrote to memory of 684	1388	wquqqwmmup.exe	32
PID 1388 wrote to memory of 684	1388	wquqqwmmup.exe	32
PID 1388 wrote to memory of 684	1388	wquqqwmmup.exe	32
PID 1896 wrote to memory of 1556	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	33
PID 1896 wrote to memory of 1556	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	33
PID 1896 wrote to memory of 1556	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	33
PID 1896 wrote to memory of 1556	1896	8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe	33
PID 1556 wrote to memory of 1584	1556	WINWORD.EXE	37
PID 1556 wrote to memory of 1584	1556	WINWORD.EXE	37
PID 1556 wrote to memory of 1584	1556	WINWORD.EXE	37
PID 1556 wrote to memory of 1584	1556	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe
"C:\Users\Admin\AppData\Local\Temp\8df9c8bcf5098270dc1012b8a6563596e44c8dcfc6423a52fd0185c35260112a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\wquqqwmmup.exe
  wquqqwmmup.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\acjrxajx.exe
    C:\Windows\system32\acjrxajx.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:684
- C:\Windows\SysWOW64\bbdiynghnxthqop.exe
  bbdiynghnxthqop.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1232
- C:\Windows\SysWOW64\acjrxajx.exe
  acjrxajx.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1228
- C:\Windows\SysWOW64\inebnpttkslpw.exe
  inebnpttkslpw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1716
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
3ab40f245cec2f11a5e62fa1f68d5bba

SHA1
cd13219229f1dfdbc21964b3219e66e68e65874e

SHA256
aea4acc465ed2e72b8b6d6dc29e9f7f6fb331ddd538a7510c70cb9d9770c00df

SHA512
804c3907abb1767ec8ccf692b2756b37a9eef547bb6955a95be3f94577eb71165167d6a399a8a545a9622bd8379ce3b9e1f94bdd8728b8d8dcae99c456f4c826

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
3ab40f245cec2f11a5e62fa1f68d5bba

SHA1
cd13219229f1dfdbc21964b3219e66e68e65874e

SHA256
aea4acc465ed2e72b8b6d6dc29e9f7f6fb331ddd538a7510c70cb9d9770c00df

SHA512
804c3907abb1767ec8ccf692b2756b37a9eef547bb6955a95be3f94577eb71165167d6a399a8a545a9622bd8379ce3b9e1f94bdd8728b8d8dcae99c456f4c826

Download Submit
C:\Program Files\InstallApprove.doc.exe

Filesize
255KB

MD5
5841b3733f63c10260d4f71125db2485

SHA1
a43ea6c0b293f4ee5948c29c988589c0509af7fd

SHA256
f048e2adda832396becac8956f58cf2ed29cc805e27eef465c2215512acf7758

SHA512
66b4364bae2255439ba69be3d5bf406989e7dffe01076c13d6e421d98a49c392cb0f8db2bae78148e056419f9e62e15983cebd876430563efcbd7e006396d89a

Download Submit
C:\Windows\SysWOW64\acjrxajx.exe

Filesize
255KB

MD5
6fdc39c3bc3a4a7aaf38af20381c0970

SHA1
9116e19662f5665b93d8033a4246fb4f6dd874a2

SHA256
fbcfd80899c6fd34bb4776aa6a5ba4b16911fe75c68d505f2647a1b721eca26a

SHA512
0568629feaa7364c4057d290ae7757f272b223a51f645d7b07ea34b13623e148da233ab79c96872a706430e4e185bba156e78d5e324bcdfbebce17d78e7929c2

Download Submit
C:\Windows\SysWOW64\acjrxajx.exe

Filesize
255KB

MD5
6fdc39c3bc3a4a7aaf38af20381c0970

SHA1
9116e19662f5665b93d8033a4246fb4f6dd874a2

SHA256
fbcfd80899c6fd34bb4776aa6a5ba4b16911fe75c68d505f2647a1b721eca26a

SHA512
0568629feaa7364c4057d290ae7757f272b223a51f645d7b07ea34b13623e148da233ab79c96872a706430e4e185bba156e78d5e324bcdfbebce17d78e7929c2

Download Submit
C:\Windows\SysWOW64\acjrxajx.exe

Filesize
255KB

MD5
6fdc39c3bc3a4a7aaf38af20381c0970

SHA1
9116e19662f5665b93d8033a4246fb4f6dd874a2

SHA256
fbcfd80899c6fd34bb4776aa6a5ba4b16911fe75c68d505f2647a1b721eca26a

SHA512
0568629feaa7364c4057d290ae7757f272b223a51f645d7b07ea34b13623e148da233ab79c96872a706430e4e185bba156e78d5e324bcdfbebce17d78e7929c2

Download Submit
C:\Windows\SysWOW64\bbdiynghnxthqop.exe

Filesize
255KB

MD5
1e43678b57ef9aebc80a4ddbfdef3a08

SHA1
fce4a98dde1661e5ec603d8565f5789359e97218

SHA256
a868f93a68b1bb5f8a97f9b96fdf94af9e54ef4d87b390f9dc330b847878ab23

SHA512
f23a8df08d1f99a39dc6ac2edd19a73bf99d61a61bc3fc3a4c7af0114bef82b05accf02628109fe2d7976fafa308ef9dcce8c623acf0001b7f00e4b097d3773f

Download Submit
C:\Windows\SysWOW64\bbdiynghnxthqop.exe

Filesize
255KB

MD5
1e43678b57ef9aebc80a4ddbfdef3a08

SHA1
fce4a98dde1661e5ec603d8565f5789359e97218

SHA256
a868f93a68b1bb5f8a97f9b96fdf94af9e54ef4d87b390f9dc330b847878ab23

SHA512
f23a8df08d1f99a39dc6ac2edd19a73bf99d61a61bc3fc3a4c7af0114bef82b05accf02628109fe2d7976fafa308ef9dcce8c623acf0001b7f00e4b097d3773f

Download Submit
C:\Windows\SysWOW64\inebnpttkslpw.exe

Filesize
255KB

MD5
2030fbe5c7810d0fb2ff190658278880

SHA1
276c6094a72a9792e447d0345a2cbe5a6cbaa6e6

SHA256
c193f16d4e1e72f6a5dd603b73c6a3a6f0f538000be031f9d59b04aeccae3e66

SHA512
17d4291ab5dc29d5fee353bf4ec36c20c5f8dc805f3bf21aed6fc8ae29f994b65b6d75400a26ddc8542a6c6dd847fcea48df1d3604d2d6bbf891781b76757dec

Download Submit
C:\Windows\SysWOW64\inebnpttkslpw.exe

Filesize
255KB

MD5
2030fbe5c7810d0fb2ff190658278880

SHA1
276c6094a72a9792e447d0345a2cbe5a6cbaa6e6

SHA256
c193f16d4e1e72f6a5dd603b73c6a3a6f0f538000be031f9d59b04aeccae3e66

SHA512
17d4291ab5dc29d5fee353bf4ec36c20c5f8dc805f3bf21aed6fc8ae29f994b65b6d75400a26ddc8542a6c6dd847fcea48df1d3604d2d6bbf891781b76757dec

Download Submit
C:\Windows\SysWOW64\wquqqwmmup.exe

Filesize
255KB

MD5
9acea6b7b62e9a53eb0f54c472ff0b32

SHA1
5ffc53d50c06f38d8d12d0f27ca4699a05e76a23

SHA256
db7e0dd7b16158f0f99f579db1837d86da3bf8b9561e1396f0a879d9b5bd3769

SHA512
47e10c1b39115e2b5cb7eaf6d57c4fd4d74795968b99b7dd887e6e5264d3fffe43b7cdaa357a844e7487eb69672227c1ca148b0de4f2daa33643e0a0b26ddf50

Download Submit
C:\Windows\SysWOW64\wquqqwmmup.exe

Filesize
255KB

MD5
9acea6b7b62e9a53eb0f54c472ff0b32

SHA1
5ffc53d50c06f38d8d12d0f27ca4699a05e76a23

SHA256
db7e0dd7b16158f0f99f579db1837d86da3bf8b9561e1396f0a879d9b5bd3769

SHA512
47e10c1b39115e2b5cb7eaf6d57c4fd4d74795968b99b7dd887e6e5264d3fffe43b7cdaa357a844e7487eb69672227c1ca148b0de4f2daa33643e0a0b26ddf50

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\acjrxajx.exe

Filesize
255KB

MD5
6fdc39c3bc3a4a7aaf38af20381c0970

SHA1
9116e19662f5665b93d8033a4246fb4f6dd874a2

SHA256
fbcfd80899c6fd34bb4776aa6a5ba4b16911fe75c68d505f2647a1b721eca26a

SHA512
0568629feaa7364c4057d290ae7757f272b223a51f645d7b07ea34b13623e148da233ab79c96872a706430e4e185bba156e78d5e324bcdfbebce17d78e7929c2

Download Submit
\Windows\SysWOW64\acjrxajx.exe

Filesize
255KB

MD5
6fdc39c3bc3a4a7aaf38af20381c0970

SHA1
9116e19662f5665b93d8033a4246fb4f6dd874a2

SHA256
fbcfd80899c6fd34bb4776aa6a5ba4b16911fe75c68d505f2647a1b721eca26a

SHA512
0568629feaa7364c4057d290ae7757f272b223a51f645d7b07ea34b13623e148da233ab79c96872a706430e4e185bba156e78d5e324bcdfbebce17d78e7929c2

Download Submit
\Windows\SysWOW64\bbdiynghnxthqop.exe

Filesize
255KB

MD5
1e43678b57ef9aebc80a4ddbfdef3a08

SHA1
fce4a98dde1661e5ec603d8565f5789359e97218

SHA256
a868f93a68b1bb5f8a97f9b96fdf94af9e54ef4d87b390f9dc330b847878ab23

SHA512
f23a8df08d1f99a39dc6ac2edd19a73bf99d61a61bc3fc3a4c7af0114bef82b05accf02628109fe2d7976fafa308ef9dcce8c623acf0001b7f00e4b097d3773f

Download Submit
\Windows\SysWOW64\inebnpttkslpw.exe

Filesize
255KB

MD5
2030fbe5c7810d0fb2ff190658278880

SHA1
276c6094a72a9792e447d0345a2cbe5a6cbaa6e6

SHA256
c193f16d4e1e72f6a5dd603b73c6a3a6f0f538000be031f9d59b04aeccae3e66

SHA512
17d4291ab5dc29d5fee353bf4ec36c20c5f8dc805f3bf21aed6fc8ae29f994b65b6d75400a26ddc8542a6c6dd847fcea48df1d3604d2d6bbf891781b76757dec

Download Submit
\Windows\SysWOW64\wquqqwmmup.exe

Filesize
255KB

MD5
9acea6b7b62e9a53eb0f54c472ff0b32

SHA1
5ffc53d50c06f38d8d12d0f27ca4699a05e76a23

SHA256
db7e0dd7b16158f0f99f579db1837d86da3bf8b9561e1396f0a879d9b5bd3769

SHA512
47e10c1b39115e2b5cb7eaf6d57c4fd4d74795968b99b7dd887e6e5264d3fffe43b7cdaa357a844e7487eb69672227c1ca148b0de4f2daa33643e0a0b26ddf50

Download Submit
memory/684-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/684-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1228-84-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1228-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1232-83-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1232-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1388-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1388-88-0x0000000003830000-0x00000000038D0000-memory.dmp

Filesize
640KB

Download
memory/1388-81-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1556-97-0x00000000715AD000-0x00000000715B8000-memory.dmp

Filesize
44KB

Download
memory/1556-105-0x00000000715AD000-0x00000000715B8000-memory.dmp

Filesize
44KB

Download
memory/1556-92-0x0000000072B41000-0x0000000072B44000-memory.dmp

Filesize
12KB

Download
memory/1556-93-0x00000000705C1000-0x00000000705C3000-memory.dmp

Filesize
8KB

Download
memory/1556-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1556-109-0x00000000715AD000-0x00000000715B8000-memory.dmp

Filesize
44KB

Download
memory/1556-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1584-107-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1716-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1716-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1896-86-0x0000000002EE0000-0x0000000002F80000-memory.dmp

Filesize
640KB

Download
memory/1896-56-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1896-57-0x0000000002EE0000-0x0000000002F80000-memory.dmp

Filesize
640KB

Download
memory/1896-82-0x0000000002EE0000-0x0000000002F80000-memory.dmp

Filesize
640KB

Download
memory/1896-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1896-54-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download