d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59

Analysis

max time kernel
152s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
Size

255KB
MD5

e511ce5643ddf34295356ba91f63bef3
SHA1

8351c5b318f9459c6146d4033b7a61c004aea55f
SHA256

d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59
SHA512

70527588420ec0e66f834b108708e73cd313b58f4ad78b774d6343851d6a03460b5a989dae78795d61ac312ef5a7f2809b23d2d27c3fbb15f7da48aac8364837
SSDEEP

6144:1xlZam+akqx6YQJXcNlEHUIQeE3mmBI8N:Plf5j6zCNa0xeE3m0N

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	vkjudclwcf.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vkjudclwcf.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	vkjudclwcf.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vkjudclwcf.exe

Executes dropped EXE 6 IoCs

pid	Process
296	vkjudclwcf.exe
856	xifylppztjkpiru.exe
468	iokgfksl.exe
2036	ibomntkousycc.exe
920	iokgfksl.exe
1772	ibomntkousycc.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1216-55-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x000b000000012333-56.dat	upx
behavioral1/files/0x0009000000012696-60.dat	upx
behavioral1/files/0x000b000000012333-58.dat	upx
behavioral1/files/0x0009000000012696-62.dat	upx
behavioral1/files/0x000b000000012333-64.dat	upx
behavioral1/files/0x0009000000012696-65.dat	upx
behavioral1/files/0x0008000000012750-66.dat	upx
behavioral1/files/0x0008000000012750-68.dat	upx
behavioral1/files/0x0008000000013109-70.dat	upx
behavioral1/files/0x0008000000013109-72.dat	upx
behavioral1/files/0x0008000000012750-75.dat	upx
behavioral1/files/0x0008000000012750-76.dat	upx
behavioral1/files/0x0008000000013109-78.dat	upx
behavioral1/files/0x0008000000012750-79.dat	upx
behavioral1/files/0x0008000000013109-81.dat	upx
behavioral1/files/0x0008000000013109-83.dat	upx
behavioral1/memory/296-85-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/856-87-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/468-88-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2036-89-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/920-90-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1772-91-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1216-93-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/296-99-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/856-100-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/2036-102-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/468-101-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/920-103-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/memory/1772-104-0x0000000000400000-0x00000000004A0000-memory.dmp	upx
behavioral1/files/0x0006000000014159-109.dat	upx
behavioral1/files/0x00060000000141e7-110.dat	upx
behavioral1/files/0x0008000000013a04-113.dat	upx
behavioral1/files/0x0008000000013a04-114.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
296	vkjudclwcf.exe
360	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	vkjudclwcf.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	xifylppztjkpiru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\omgtezem = "vkjudclwcf.exe"	xifylppztjkpiru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nammqfnt = "xifylppztjkpiru.exe"	xifylppztjkpiru.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ibomntkousycc.exe"	xifylppztjkpiru.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	vkjudclwcf.exe
File opened (read-only)	\??\p:	vkjudclwcf.exe
File opened (read-only)	\??\x:	vkjudclwcf.exe
File opened (read-only)	\??\k:	iokgfksl.exe
File opened (read-only)	\??\v:	iokgfksl.exe
File opened (read-only)	\??\z:	iokgfksl.exe
File opened (read-only)	\??\i:	iokgfksl.exe
File opened (read-only)	\??\j:	iokgfksl.exe
File opened (read-only)	\??\h:	iokgfksl.exe
File opened (read-only)	\??\y:	iokgfksl.exe
File opened (read-only)	\??\f:	iokgfksl.exe
File opened (read-only)	\??\o:	iokgfksl.exe
File opened (read-only)	\??\t:	iokgfksl.exe
File opened (read-only)	\??\q:	vkjudclwcf.exe
File opened (read-only)	\??\e:	iokgfksl.exe
File opened (read-only)	\??\i:	iokgfksl.exe
File opened (read-only)	\??\p:	iokgfksl.exe
File opened (read-only)	\??\q:	iokgfksl.exe
File opened (read-only)	\??\l:	iokgfksl.exe
File opened (read-only)	\??\a:	iokgfksl.exe
File opened (read-only)	\??\m:	vkjudclwcf.exe
File opened (read-only)	\??\z:	vkjudclwcf.exe
File opened (read-only)	\??\h:	iokgfksl.exe
File opened (read-only)	\??\m:	iokgfksl.exe
File opened (read-only)	\??\h:	vkjudclwcf.exe
File opened (read-only)	\??\r:	vkjudclwcf.exe
File opened (read-only)	\??\g:	iokgfksl.exe
File opened (read-only)	\??\o:	iokgfksl.exe
File opened (read-only)	\??\b:	iokgfksl.exe
File opened (read-only)	\??\f:	iokgfksl.exe
File opened (read-only)	\??\k:	iokgfksl.exe
File opened (read-only)	\??\b:	vkjudclwcf.exe
File opened (read-only)	\??\u:	vkjudclwcf.exe
File opened (read-only)	\??\y:	vkjudclwcf.exe
File opened (read-only)	\??\m:	iokgfksl.exe
File opened (read-only)	\??\r:	iokgfksl.exe
File opened (read-only)	\??\t:	iokgfksl.exe
File opened (read-only)	\??\s:	iokgfksl.exe
File opened (read-only)	\??\u:	iokgfksl.exe
File opened (read-only)	\??\w:	vkjudclwcf.exe
File opened (read-only)	\??\p:	iokgfksl.exe
File opened (read-only)	\??\x:	iokgfksl.exe
File opened (read-only)	\??\y:	iokgfksl.exe
File opened (read-only)	\??\n:	iokgfksl.exe
File opened (read-only)	\??\x:	iokgfksl.exe
File opened (read-only)	\??\e:	vkjudclwcf.exe
File opened (read-only)	\??\s:	vkjudclwcf.exe
File opened (read-only)	\??\t:	vkjudclwcf.exe
File opened (read-only)	\??\n:	iokgfksl.exe
File opened (read-only)	\??\r:	iokgfksl.exe
File opened (read-only)	\??\l:	vkjudclwcf.exe
File opened (read-only)	\??\a:	iokgfksl.exe
File opened (read-only)	\??\q:	iokgfksl.exe
File opened (read-only)	\??\i:	vkjudclwcf.exe
File opened (read-only)	\??\n:	vkjudclwcf.exe
File opened (read-only)	\??\o:	vkjudclwcf.exe
File opened (read-only)	\??\b:	iokgfksl.exe
File opened (read-only)	\??\s:	iokgfksl.exe
File opened (read-only)	\??\u:	iokgfksl.exe
File opened (read-only)	\??\g:	iokgfksl.exe
File opened (read-only)	\??\z:	iokgfksl.exe
File opened (read-only)	\??\g:	vkjudclwcf.exe
File opened (read-only)	\??\l:	iokgfksl.exe
File opened (read-only)	\??\w:	iokgfksl.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	vkjudclwcf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	vkjudclwcf.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1216-55-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/296-85-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/856-87-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/468-88-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2036-89-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/920-90-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1772-91-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1216-93-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/296-99-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/856-100-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/2036-102-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/468-101-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/920-103-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe
behavioral1/memory/1772-104-0x0000000000400000-0x00000000004A0000-memory.dmp	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vkjudclwcf.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File opened for modification	C:\Windows\SysWOW64\xifylppztjkpiru.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File opened for modification	C:\Windows\SysWOW64\iokgfksl.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File created	C:\Windows\SysWOW64\ibomntkousycc.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File opened for modification	C:\Windows\SysWOW64\ibomntkousycc.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File created	C:\Windows\SysWOW64\vkjudclwcf.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File created	C:\Windows\SysWOW64\xifylppztjkpiru.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File created	C:\Windows\SysWOW64\iokgfksl.exe	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	vkjudclwcf.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	iokgfksl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	iokgfksl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	iokgfksl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	iokgfksl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	iokgfksl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	iokgfksl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	iokgfksl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	iokgfksl.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FFFC482F851C9136D6587DE5BDE2E6375844664E6346D7EE"	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC6091594DAB6B9BC7CE2ED9037CD"	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	vkjudclwcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	vkjudclwcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	vkjudclwcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	vkjudclwcf.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	vkjudclwcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
676	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
468	iokgfksl.exe
468	iokgfksl.exe
468	iokgfksl.exe
468	iokgfksl.exe
920	iokgfksl.exe
920	iokgfksl.exe
920	iokgfksl.exe
920	iokgfksl.exe
856	xifylppztjkpiru.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
856	xifylppztjkpiru.exe
2036	ibomntkousycc.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
468	iokgfksl.exe
468	iokgfksl.exe
468	iokgfksl.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
920	iokgfksl.exe
920	iokgfksl.exe
920	iokgfksl.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
296	vkjudclwcf.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
856	xifylppztjkpiru.exe
468	iokgfksl.exe
468	iokgfksl.exe
468	iokgfksl.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
2036	ibomntkousycc.exe
920	iokgfksl.exe
920	iokgfksl.exe
920	iokgfksl.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe
1772	ibomntkousycc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
676	WINWORD.EXE
676	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 296	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	28
PID 1216 wrote to memory of 296	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	28
PID 1216 wrote to memory of 296	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	28
PID 1216 wrote to memory of 296	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	28
PID 1216 wrote to memory of 856	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	29
PID 1216 wrote to memory of 856	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	29
PID 1216 wrote to memory of 856	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	29
PID 1216 wrote to memory of 856	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	29
PID 1216 wrote to memory of 468	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	30
PID 1216 wrote to memory of 468	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	30
PID 1216 wrote to memory of 468	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	30
PID 1216 wrote to memory of 468	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	30
PID 1216 wrote to memory of 2036	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	31
PID 1216 wrote to memory of 2036	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	31
PID 1216 wrote to memory of 2036	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	31
PID 1216 wrote to memory of 2036	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	31
PID 856 wrote to memory of 360	856	xifylppztjkpiru.exe	32
PID 856 wrote to memory of 360	856	xifylppztjkpiru.exe	32
PID 856 wrote to memory of 360	856	xifylppztjkpiru.exe	32
PID 856 wrote to memory of 360	856	xifylppztjkpiru.exe	32
PID 296 wrote to memory of 920	296	vkjudclwcf.exe	34
PID 296 wrote to memory of 920	296	vkjudclwcf.exe	34
PID 296 wrote to memory of 920	296	vkjudclwcf.exe	34
PID 296 wrote to memory of 920	296	vkjudclwcf.exe	34
PID 360 wrote to memory of 1772	360	cmd.exe	35
PID 360 wrote to memory of 1772	360	cmd.exe	35
PID 360 wrote to memory of 1772	360	cmd.exe	35
PID 360 wrote to memory of 1772	360	cmd.exe	35
PID 1216 wrote to memory of 676	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	36
PID 1216 wrote to memory of 676	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	36
PID 1216 wrote to memory of 676	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	36
PID 1216 wrote to memory of 676	1216	d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe	36
PID 676 wrote to memory of 1696	676	WINWORD.EXE	40
PID 676 wrote to memory of 1696	676	WINWORD.EXE	40
PID 676 wrote to memory of 1696	676	WINWORD.EXE	40
PID 676 wrote to memory of 1696	676	WINWORD.EXE	40

C:\Users\Admin\AppData\Local\Temp\d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe
"C:\Users\Admin\AppData\Local\Temp\d25e633ab36a220ea083ee22ac18281ca82d1e5d84691fe9ea8b07e16b7d2c59.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\vkjudclwcf.exe
  vkjudclwcf.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Windows\SysWOW64\iokgfksl.exe
    C:\Windows\system32\iokgfksl.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:920
- C:\Windows\SysWOW64\xifylppztjkpiru.exe
  xifylppztjkpiru.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ibomntkousycc.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\SysWOW64\ibomntkousycc.exe
      ibomntkousycc.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1772
- C:\Windows\SysWOW64\iokgfksl.exe
  iokgfksl.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:468
- C:\Windows\SysWOW64\ibomntkousycc.exe
  ibomntkousycc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2036
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
255KB

MD5
e075e62e5a0321861b91147c63ae9b40

SHA1
d1ae09e000f78d3f877213b8255ddb58fa2fa46e

SHA256
d825bfd97b8525b6d9f5af90dbae24781900970013ac2bdf395c94af25cb233d

SHA512
6fc3ac780459a6c856cf805529098fd8e4c3e9fbba02205fb7f19093b8426c96b71712fcc36541a816b6f4767b34b51be1492bc23e82633e7c3a0a7569cb2d1e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
255KB

MD5
3f6acb045cc0f1d50b288c0a76d4d756

SHA1
ec159b2252e4cadaa2b6ffcba5158dc2cf0b4ab2

SHA256
4b334b9cbc2c3e35c4b2b419661434fa2d5d4eca6cc995d23e9e5be52ca7ec07

SHA512
d76bc71c26500b5de930698ba50df218ed3ebe16b3def8f500b27421320031ed70482961f5806f91569133445074c390630c4e6362b993760b3496976ff1337f

Download Submit
C:\Users\Admin\AppData\Roaming\StopCompress.doc.exe

Filesize
255KB

MD5
25428bd5a5c7a374090fb1f7abd5399a

SHA1
967dde020282d573a2acb4118283c43d97f1f816

SHA256
d5d873300c1a3efff12ae290fe603fd266cdf420b0831906cdacd8869b45f921

SHA512
0a5b32974ab897e7b0d4c6d6e840241dec9d0b9a3b3db2cb99d829b3dac7f3eead4c5c7742b15f45ccac23e478e9afd27d46316510f7f173a477f5084e2aa7f0

Download Submit
C:\Users\Admin\AppData\Roaming\StopCompress.doc.exe

Filesize
255KB

MD5
25428bd5a5c7a374090fb1f7abd5399a

SHA1
967dde020282d573a2acb4118283c43d97f1f816

SHA256
d5d873300c1a3efff12ae290fe603fd266cdf420b0831906cdacd8869b45f921

SHA512
0a5b32974ab897e7b0d4c6d6e840241dec9d0b9a3b3db2cb99d829b3dac7f3eead4c5c7742b15f45ccac23e478e9afd27d46316510f7f173a477f5084e2aa7f0

Download Submit
C:\Windows\SysWOW64\ibomntkousycc.exe

Filesize
255KB

MD5
d0dae4d9188df402946c57b4a2065887

SHA1
7999e3c38e3467438fd3c369c1c3322b2e7ea229

SHA256
6559fe73fd953503f886196fcf6370b747cfee5455343626449aa81e83882b15

SHA512
70b09919fb33a459a82d0e5d408ef56928b7458f07e7227b2b6cd14b20047220a57a8efabd84ae209afa015beef2f3a6b92d659d701fb26348911be41387b686

Download Submit
C:\Windows\SysWOW64\ibomntkousycc.exe

Filesize
255KB

MD5
d0dae4d9188df402946c57b4a2065887

SHA1
7999e3c38e3467438fd3c369c1c3322b2e7ea229

SHA256
6559fe73fd953503f886196fcf6370b747cfee5455343626449aa81e83882b15

SHA512
70b09919fb33a459a82d0e5d408ef56928b7458f07e7227b2b6cd14b20047220a57a8efabd84ae209afa015beef2f3a6b92d659d701fb26348911be41387b686

Download Submit
C:\Windows\SysWOW64\ibomntkousycc.exe

Filesize
255KB

MD5
d0dae4d9188df402946c57b4a2065887

SHA1
7999e3c38e3467438fd3c369c1c3322b2e7ea229

SHA256
6559fe73fd953503f886196fcf6370b747cfee5455343626449aa81e83882b15

SHA512
70b09919fb33a459a82d0e5d408ef56928b7458f07e7227b2b6cd14b20047220a57a8efabd84ae209afa015beef2f3a6b92d659d701fb26348911be41387b686

Download Submit
C:\Windows\SysWOW64\iokgfksl.exe

Filesize
255KB

MD5
b083158bb351161a7b66fff64a6e008b

SHA1
d4410c1b52fb05a51a9407b687ead7d1d66790e5

SHA256
2a3dd8c41a55704e1ac7e7157d16a56646d27010428209d41d582da9cda906d4

SHA512
c994949c4094b77e66d11d0bd72119ef7130794c861463a8019760ecc535172709bf9fb49488dddc977a4c3a8fb728c29ba24b227291bfa7c8207f6f3c6c8f84

Download Submit
C:\Windows\SysWOW64\iokgfksl.exe

Filesize
255KB

MD5
b083158bb351161a7b66fff64a6e008b

SHA1
d4410c1b52fb05a51a9407b687ead7d1d66790e5

SHA256
2a3dd8c41a55704e1ac7e7157d16a56646d27010428209d41d582da9cda906d4

SHA512
c994949c4094b77e66d11d0bd72119ef7130794c861463a8019760ecc535172709bf9fb49488dddc977a4c3a8fb728c29ba24b227291bfa7c8207f6f3c6c8f84

Download Submit
C:\Windows\SysWOW64\iokgfksl.exe

Filesize
255KB

MD5
b083158bb351161a7b66fff64a6e008b

SHA1
d4410c1b52fb05a51a9407b687ead7d1d66790e5

SHA256
2a3dd8c41a55704e1ac7e7157d16a56646d27010428209d41d582da9cda906d4

SHA512
c994949c4094b77e66d11d0bd72119ef7130794c861463a8019760ecc535172709bf9fb49488dddc977a4c3a8fb728c29ba24b227291bfa7c8207f6f3c6c8f84

Download Submit
C:\Windows\SysWOW64\vkjudclwcf.exe

Filesize
255KB

MD5
f3aa295469bfd93c00a84cc673b12f77

SHA1
6ca197570f056bf608f72a8c2e34e6784c997c62

SHA256
9eca8381ff73c0a9f7e76da99fcb29913ed616c3f9735bc728b21fb494f9efd4

SHA512
ec88bf153f0bd6c8182379de296e818b879c7177ff04645967770edc7e932760a8a871dbb5f19b83bbba1b6cc6e0039528f9c09344402c7d554c661d7ee3d432

Download Submit
C:\Windows\SysWOW64\vkjudclwcf.exe

Filesize
255KB

MD5
f3aa295469bfd93c00a84cc673b12f77

SHA1
6ca197570f056bf608f72a8c2e34e6784c997c62

SHA256
9eca8381ff73c0a9f7e76da99fcb29913ed616c3f9735bc728b21fb494f9efd4

SHA512
ec88bf153f0bd6c8182379de296e818b879c7177ff04645967770edc7e932760a8a871dbb5f19b83bbba1b6cc6e0039528f9c09344402c7d554c661d7ee3d432

Download Submit
C:\Windows\SysWOW64\xifylppztjkpiru.exe

Filesize
255KB

MD5
ce066748158f108e9245dd893c8f181e

SHA1
019e0df0485a1a9b595704bce5f0f848c2ade33e

SHA256
99fc4ac0e905b48829a90576176a5d1d39bb4367c6e8e65405c5323d3b07af10

SHA512
82f40bba8d8fe82d22a82b19c7ebf34edb996f5767cbf0d5f6f3d04aead78bb7a63ad3acf2bd34f2d1965c5d68e2f1d92e957caeaf9a03d2242c00440e073797

Download Submit
C:\Windows\SysWOW64\xifylppztjkpiru.exe

Filesize
255KB

MD5
ce066748158f108e9245dd893c8f181e

SHA1
019e0df0485a1a9b595704bce5f0f848c2ade33e

SHA256
99fc4ac0e905b48829a90576176a5d1d39bb4367c6e8e65405c5323d3b07af10

SHA512
82f40bba8d8fe82d22a82b19c7ebf34edb996f5767cbf0d5f6f3d04aead78bb7a63ad3acf2bd34f2d1965c5d68e2f1d92e957caeaf9a03d2242c00440e073797

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\ibomntkousycc.exe

Filesize
255KB

MD5
d0dae4d9188df402946c57b4a2065887

SHA1
7999e3c38e3467438fd3c369c1c3322b2e7ea229

SHA256
6559fe73fd953503f886196fcf6370b747cfee5455343626449aa81e83882b15

SHA512
70b09919fb33a459a82d0e5d408ef56928b7458f07e7227b2b6cd14b20047220a57a8efabd84ae209afa015beef2f3a6b92d659d701fb26348911be41387b686

Download Submit
\Windows\SysWOW64\ibomntkousycc.exe

Filesize
255KB

MD5
d0dae4d9188df402946c57b4a2065887

SHA1
7999e3c38e3467438fd3c369c1c3322b2e7ea229

SHA256
6559fe73fd953503f886196fcf6370b747cfee5455343626449aa81e83882b15

SHA512
70b09919fb33a459a82d0e5d408ef56928b7458f07e7227b2b6cd14b20047220a57a8efabd84ae209afa015beef2f3a6b92d659d701fb26348911be41387b686

Download Submit
\Windows\SysWOW64\iokgfksl.exe

Filesize
255KB

MD5
b083158bb351161a7b66fff64a6e008b

SHA1
d4410c1b52fb05a51a9407b687ead7d1d66790e5

SHA256
2a3dd8c41a55704e1ac7e7157d16a56646d27010428209d41d582da9cda906d4

SHA512
c994949c4094b77e66d11d0bd72119ef7130794c861463a8019760ecc535172709bf9fb49488dddc977a4c3a8fb728c29ba24b227291bfa7c8207f6f3c6c8f84

Download Submit
\Windows\SysWOW64\iokgfksl.exe

Filesize
255KB

MD5
b083158bb351161a7b66fff64a6e008b

SHA1
d4410c1b52fb05a51a9407b687ead7d1d66790e5

SHA256
2a3dd8c41a55704e1ac7e7157d16a56646d27010428209d41d582da9cda906d4

SHA512
c994949c4094b77e66d11d0bd72119ef7130794c861463a8019760ecc535172709bf9fb49488dddc977a4c3a8fb728c29ba24b227291bfa7c8207f6f3c6c8f84

Download Submit
\Windows\SysWOW64\vkjudclwcf.exe

Filesize
255KB

MD5
f3aa295469bfd93c00a84cc673b12f77

SHA1
6ca197570f056bf608f72a8c2e34e6784c997c62

SHA256
9eca8381ff73c0a9f7e76da99fcb29913ed616c3f9735bc728b21fb494f9efd4

SHA512
ec88bf153f0bd6c8182379de296e818b879c7177ff04645967770edc7e932760a8a871dbb5f19b83bbba1b6cc6e0039528f9c09344402c7d554c661d7ee3d432

Download Submit
\Windows\SysWOW64\xifylppztjkpiru.exe

Filesize
255KB

MD5
ce066748158f108e9245dd893c8f181e

SHA1
019e0df0485a1a9b595704bce5f0f848c2ade33e

SHA256
99fc4ac0e905b48829a90576176a5d1d39bb4367c6e8e65405c5323d3b07af10

SHA512
82f40bba8d8fe82d22a82b19c7ebf34edb996f5767cbf0d5f6f3d04aead78bb7a63ad3acf2bd34f2d1965c5d68e2f1d92e957caeaf9a03d2242c00440e073797

Download Submit
memory/296-85-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/296-99-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/468-101-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/468-88-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/676-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/676-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/676-105-0x0000000070D3D000-0x0000000070D48000-memory.dmp

Filesize
44KB

Download
memory/676-112-0x0000000070D3D000-0x0000000070D48000-memory.dmp

Filesize
44KB

Download
memory/676-97-0x0000000070D3D000-0x0000000070D48000-memory.dmp

Filesize
44KB

Download
memory/676-94-0x00000000722D1000-0x00000000722D4000-memory.dmp

Filesize
12KB

Download
memory/676-95-0x000000006FD51000-0x000000006FD53000-memory.dmp

Filesize
8KB

Download
memory/856-87-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/856-100-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/920-103-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/920-90-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1216-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1216-93-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1216-86-0x0000000003340000-0x00000000033E0000-memory.dmp

Filesize
640KB

Download
memory/1216-55-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1696-108-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1772-104-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1772-91-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2036-89-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/2036-102-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download