1698e6dfeda5d819eb36efe4feb6b658fbc8c58607370ffed7d6743fc76fd444

Analysis

max time kernel
161s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1fde57c8632f81e1ddd18313f8ccac68.exe
Size

512KB
MD5

1fde57c8632f81e1ddd18313f8ccac68
SHA1

9de18a319aae72f212efdf53e9b0115daf41db44
SHA256

1698e6dfeda5d819eb36efe4feb6b658fbc8c58607370ffed7d6743fc76fd444
SHA512

b10b805b0b4774b5e3d3413781972fa9fa645e6d20790a4a5137b7df424bba1397ddd7d7381939ad16a82cad1259f62e0b8f8efa2bd2d740298228f4da3e5d47
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6n:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Q

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aunhmneyeu.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aunhmneyeu.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	aunhmneyeu.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aunhmneyeu.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2340	aunhmneyeu.exe
2772	hjsjwvtbxcdpbxs.exe
2760	rkazjowh.exe
2668	aoqfavambbgsg.exe
2672	rkazjowh.exe

Loads dropped DLL 5 IoCs

pid	Process
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
2340	aunhmneyeu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	aunhmneyeu.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ijenaogo = "aunhmneyeu.exe"	hjsjwvtbxcdpbxs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jcbzmlcf = "hjsjwvtbxcdpbxs.exe"	hjsjwvtbxcdpbxs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aoqfavambbgsg.exe"	hjsjwvtbxcdpbxs.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	rkazjowh.exe
File opened (read-only)	\??\l:	rkazjowh.exe
File opened (read-only)	\??\g:	rkazjowh.exe
File opened (read-only)	\??\o:	rkazjowh.exe
File opened (read-only)	\??\v:	rkazjowh.exe
File opened (read-only)	\??\b:	aunhmneyeu.exe
File opened (read-only)	\??\h:	aunhmneyeu.exe
File opened (read-only)	\??\s:	rkazjowh.exe
File opened (read-only)	\??\v:	rkazjowh.exe
File opened (read-only)	\??\a:	rkazjowh.exe
File opened (read-only)	\??\k:	rkazjowh.exe
File opened (read-only)	\??\m:	rkazjowh.exe
File opened (read-only)	\??\u:	rkazjowh.exe
File opened (read-only)	\??\w:	rkazjowh.exe
File opened (read-only)	\??\e:	aunhmneyeu.exe
File opened (read-only)	\??\x:	aunhmneyeu.exe
File opened (read-only)	\??\m:	rkazjowh.exe
File opened (read-only)	\??\b:	rkazjowh.exe
File opened (read-only)	\??\r:	rkazjowh.exe
File opened (read-only)	\??\s:	rkazjowh.exe
File opened (read-only)	\??\t:	rkazjowh.exe
File opened (read-only)	\??\w:	rkazjowh.exe
File opened (read-only)	\??\r:	aunhmneyeu.exe
File opened (read-only)	\??\x:	rkazjowh.exe
File opened (read-only)	\??\m:	aunhmneyeu.exe
File opened (read-only)	\??\o:	aunhmneyeu.exe
File opened (read-only)	\??\z:	aunhmneyeu.exe
File opened (read-only)	\??\h:	rkazjowh.exe
File opened (read-only)	\??\i:	aunhmneyeu.exe
File opened (read-only)	\??\j:	aunhmneyeu.exe
File opened (read-only)	\??\b:	rkazjowh.exe
File opened (read-only)	\??\p:	rkazjowh.exe
File opened (read-only)	\??\u:	rkazjowh.exe
File opened (read-only)	\??\y:	rkazjowh.exe
File opened (read-only)	\??\t:	aunhmneyeu.exe
File opened (read-only)	\??\n:	rkazjowh.exe
File opened (read-only)	\??\h:	rkazjowh.exe
File opened (read-only)	\??\p:	rkazjowh.exe
File opened (read-only)	\??\g:	aunhmneyeu.exe
File opened (read-only)	\??\p:	aunhmneyeu.exe
File opened (read-only)	\??\z:	rkazjowh.exe
File opened (read-only)	\??\n:	rkazjowh.exe
File opened (read-only)	\??\w:	aunhmneyeu.exe
File opened (read-only)	\??\g:	rkazjowh.exe
File opened (read-only)	\??\q:	aunhmneyeu.exe
File opened (read-only)	\??\s:	aunhmneyeu.exe
File opened (read-only)	\??\e:	rkazjowh.exe
File opened (read-only)	\??\r:	rkazjowh.exe
File opened (read-only)	\??\u:	aunhmneyeu.exe
File opened (read-only)	\??\v:	aunhmneyeu.exe
File opened (read-only)	\??\y:	aunhmneyeu.exe
File opened (read-only)	\??\o:	rkazjowh.exe
File opened (read-only)	\??\i:	rkazjowh.exe
File opened (read-only)	\??\l:	rkazjowh.exe
File opened (read-only)	\??\a:	rkazjowh.exe
File opened (read-only)	\??\k:	aunhmneyeu.exe
File opened (read-only)	\??\q:	rkazjowh.exe
File opened (read-only)	\??\y:	rkazjowh.exe
File opened (read-only)	\??\q:	rkazjowh.exe
File opened (read-only)	\??\t:	rkazjowh.exe
File opened (read-only)	\??\z:	rkazjowh.exe
File opened (read-only)	\??\a:	aunhmneyeu.exe
File opened (read-only)	\??\l:	aunhmneyeu.exe
File opened (read-only)	\??\k:	rkazjowh.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	aunhmneyeu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	aunhmneyeu.exe

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1636-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0015000000015daa-5.dat	autoit_exe
behavioral1/files/0x0009000000012270-17.dat	autoit_exe
behavioral1/files/0x0009000000012270-20.dat	autoit_exe
behavioral1/files/0x0015000000015daa-25.dat	autoit_exe
behavioral1/files/0x000700000001604f-32.dat	autoit_exe
behavioral1/files/0x000700000001604f-27.dat	autoit_exe
behavioral1/files/0x000700000001624f-30.dat	autoit_exe
behavioral1/files/0x0015000000015daa-21.dat	autoit_exe
behavioral1/files/0x000700000001624f-36.dat	autoit_exe
behavioral1/files/0x000700000001604f-40.dat	autoit_exe
behavioral1/files/0x0015000000015daa-39.dat	autoit_exe
behavioral1/files/0x0009000000012270-38.dat	autoit_exe
behavioral1/files/0x000700000001624f-41.dat	autoit_exe
behavioral1/files/0x000700000001604f-42.dat	autoit_exe
behavioral1/files/0x000700000001604f-43.dat	autoit_exe
behavioral1/files/0x000500000001867f-69.dat	autoit_exe
behavioral1/files/0x000500000001867f-71.dat	autoit_exe
behavioral1/files/0x0005000000018683-77.dat	autoit_exe
behavioral1/files/0x000300000000894a-82.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	aunhmneyeu.exe
File opened for modification	C:\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File created	C:\Windows\SysWOW64\rkazjowh.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File created	C:\Windows\SysWOW64\aoqfavambbgsg.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File opened for modification	C:\Windows\SysWOW64\aoqfavambbgsg.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File created	C:\Windows\SysWOW64\aunhmneyeu.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File opened for modification	C:\Windows\SysWOW64\aunhmneyeu.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File created	C:\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe	1fde57c8632f81e1ddd18313f8ccac68.exe
File opened for modification	C:\Windows\SysWOW64\rkazjowh.exe	1fde57c8632f81e1ddd18313f8ccac68.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rkazjowh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rkazjowh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rkazjowh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	rkazjowh.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rkazjowh.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	rkazjowh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	rkazjowh.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	1fde57c8632f81e1ddd18313f8ccac68.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	aunhmneyeu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	aunhmneyeu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	aunhmneyeu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	aunhmneyeu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2696	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2760	rkazjowh.exe
2760	rkazjowh.exe
2760	rkazjowh.exe
2760	rkazjowh.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2672	rkazjowh.exe
2672	rkazjowh.exe
2672	rkazjowh.exe
2672	rkazjowh.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	2564	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe
Token: SeShutdownPrivilege	904	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2760	rkazjowh.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2760	rkazjowh.exe
2760	rkazjowh.exe
2672	rkazjowh.exe
2672	rkazjowh.exe
2672	rkazjowh.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
1636	1fde57c8632f81e1ddd18313f8ccac68.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2340	aunhmneyeu.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2772	hjsjwvtbxcdpbxs.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2668	aoqfavambbgsg.exe
2760	rkazjowh.exe
2760	rkazjowh.exe
2760	rkazjowh.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
2564	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe
904	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2696	WINWORD.EXE
2696	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2340	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	27
PID 1636 wrote to memory of 2340	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	27
PID 1636 wrote to memory of 2340	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	27
PID 1636 wrote to memory of 2340	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	27
PID 1636 wrote to memory of 2772	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	28
PID 1636 wrote to memory of 2772	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	28
PID 1636 wrote to memory of 2772	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	28
PID 1636 wrote to memory of 2772	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	28
PID 1636 wrote to memory of 2760	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	30
PID 1636 wrote to memory of 2760	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	30
PID 1636 wrote to memory of 2760	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	30
PID 1636 wrote to memory of 2760	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	30
PID 1636 wrote to memory of 2668	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	29
PID 1636 wrote to memory of 2668	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	29
PID 1636 wrote to memory of 2668	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	29
PID 1636 wrote to memory of 2668	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	29
PID 1636 wrote to memory of 2696	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	31
PID 1636 wrote to memory of 2696	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	31
PID 1636 wrote to memory of 2696	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	31
PID 1636 wrote to memory of 2696	1636	1fde57c8632f81e1ddd18313f8ccac68.exe	31
PID 2340 wrote to memory of 2672	2340	aunhmneyeu.exe	32
PID 2340 wrote to memory of 2672	2340	aunhmneyeu.exe	32
PID 2340 wrote to memory of 2672	2340	aunhmneyeu.exe	32
PID 2340 wrote to memory of 2672	2340	aunhmneyeu.exe	32
PID 2696 wrote to memory of 752	2696	WINWORD.EXE	41
PID 2696 wrote to memory of 752	2696	WINWORD.EXE	41
PID 2696 wrote to memory of 752	2696	WINWORD.EXE	41
PID 2696 wrote to memory of 752	2696	WINWORD.EXE	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1fde57c8632f81e1ddd18313f8ccac68.exe
"C:\Users\Admin\AppData\Local\Temp\1fde57c8632f81e1ddd18313f8ccac68.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\aunhmneyeu.exe
  aunhmneyeu.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\rkazjowh.exe
    C:\Windows\system32\rkazjowh.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2672
- C:\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe
  hjsjwvtbxcdpbxs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2772
- C:\Windows\SysWOW64\aoqfavambbgsg.exe
  aoqfavambbgsg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668
- C:\Windows\SysWOW64\rkazjowh.exe
  rkazjowh.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2760
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:752

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2564

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
329KB

MD5
a742670537f88339eafca9532320d9a3

SHA1
7958dcaf809ff8aaa0080107b1e253d64ecd2e7d

SHA256
ac69e0a96b1223a827c3a920ff0d85a74bbb5df6b06826bc201277d443031a91

SHA512
3e8430bb83e4ec73566bea789679e96074532168cb4ef4b11fb2414fd8e945ea62cf25b14fc698caa207e9340a2f0f92e512c8b8ffe82726e5cc94c471206851

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
76fbcdc8e85d17e76c70c5a83852012f

SHA1
0798978915d8520b783d0fbb2d69e70916d67749

SHA256
3963a100d196cfac78510f28ba03e64d607be64e44753e069a6bf886770dd6cf

SHA512
63e0f7787ce58f642963402e02d5128e6a6bc200a0c859ab4c286f4d08a5bcc6145552fb6cfb4bdf932e50cf16d9f51146ebf8e6bd53aea55f0d01b2666a8ccf

Download Submit
C:\Users\Admin\AppData\Roaming\SaveConvertFrom.doc.exe

Filesize
512KB

MD5
a9360c5c1605b4354203e64c95ac4ead

SHA1
af7e2127e17bc6cb4278344ca6a1a16298eccdf6

SHA256
d9b00d4269b0ab1e7266c7fdc6d571756d3cfc30798b40354a5f864ee261acb5

SHA512
c2cba792c4636b8c28a480fe4236bceca0528f020b4c97a57c529574ad574776fd5a66583cd8a4e7d2a85a38027d4114068b221a3fd4b4259c1cc0fffaf11e88

Download Submit
C:\Windows\SysWOW64\aoqfavambbgsg.exe

Filesize
361KB

MD5
6e5b1e624ab6a9e717be1a3759fd7446

SHA1
0e1ff76941fc7879652fff4765bb9822ddbf4c0d

SHA256
782ae031fb72635c7e2b5cd273dd104456b774822d206dfa9c8af6b2a0c39b3a

SHA512
bb73a1da50b61d3cbd89669609d8e963fef904ec6d189731b5a5b25f5fd5094ad10fd4ffa89f9ca736df4b79a220ab7abc6f895cbf413166b483119974a07ab8

Download Submit
C:\Windows\SysWOW64\aoqfavambbgsg.exe

Filesize
438KB

MD5
a1c76db9487d2de4c1483aa8d1e328ea

SHA1
4dcce4d6e82a15abe314672793af0bb2f825765f

SHA256
0f44021d047931c431eb7f7191d75d256a67eff0765ff7cfa8dc984b66e416d3

SHA512
040b7995f078f26c39734aecc91c565230570c032051444d33905a89cee00d6e7b147270c15d7314ba257bfc3239ab0892a8105b9357251b52cfa14bf85f4662

Download Submit
C:\Windows\SysWOW64\aunhmneyeu.exe

Filesize
453KB

MD5
947e15800c0db760758428764448438e

SHA1
fc02f415e5e1697b7e2d26a1c9e82cfcfe411b43

SHA256
a12e234b10fa3922b9724c41a2a735951cc9e0c562c302d5d5b41a918429d006

SHA512
ef9482b39a44cced0890b07e0d471006b8c7a4f3a97f0264b2c8c3f0c0423934e3ab8ec4e26b4ec2ecb372bfd194ca6d6647247cd03e15869b1ec66a78ecc535

Download Submit
C:\Windows\SysWOW64\aunhmneyeu.exe

Filesize
462KB

MD5
a05fb71d5b379e2afc88b0feba2cd2fa

SHA1
668a13cdaf71ac181cfe4b002071897f649c4c4c

SHA256
927f5879f84de5271782e142c0cacd3c0c746c53bbbaddfa5a5e6385c7a648c3

SHA512
3eba1365c848ae94f39012f6c51f894f0797478ec80356b67c453ec5c0ed0ce0774fd5ddf957e8fc502c05fbff23c38345206594683c89b33791ce97b838a55f

Download Submit
C:\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe

Filesize
469KB

MD5
2ff9c67e822c4b559a4cf9abea3d74e9

SHA1
a66c68a64957d7810c42b1e7c51c06896b2686ba

SHA256
1dd5ee5a2388910de42aa55757f77c729c422ac118dea087eb94293162875583

SHA512
9c2dbc50afe8bc3c7a54c7a3aca7fe2cbf2e57837c220bec3bf6d28339649092e7f315b3b7677321f0e5c19e28c43b9ee157497c5a80a3c2b9b840fb5cda2633

Download Submit
C:\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe

Filesize
327KB

MD5
d82a43455d5c21f959efb5c95417eb6d

SHA1
07f89bb093a90c143447ee78bd5b16bfa230af7c

SHA256
ef461a124c97d01d9422a3787ad9e3820535b87cc33c23997f39658b97a9eed9

SHA512
5214ba75e099d9540ce855ef612038f44fa4e677a1bc47da1b469cd7fbeffa615922e08a4606410cc602d67442b4e7ee3f49770d79ad74cb8b8ddad26b0b1721

Download Submit
C:\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe

Filesize
512KB

MD5
4c7a9081c8d2ce1cfad3e5c761ad1de9

SHA1
7366a4f4a80422ac58d3c77b6a75c3d64235e964

SHA256
bba75b5039a5abfcd0c93782cc5f9b78958ca7833544ddda9501e3febab07aeb

SHA512
37e10fa3add661c400f118c1809cde69ed738609e77a997712f40a813e14c9c94759fa806691fb5ab7a8e5ba8301d0da3f066b3bdb26b0b7757f7a9052759d2b

Download Submit
C:\Windows\SysWOW64\rkazjowh.exe

Filesize
317KB

MD5
fa37d4e68ba9fca82c24b9376c1b870f

SHA1
fc40bce1b6e3600c4164ebe1b5cfe455a2bb0c9e

SHA256
bd749db62019b15dbab2c3ff31ab00ec23c921ab6dc26e6398fc72b521c8518d

SHA512
b2468c46673d319b4182d0507af43531e0c2e3ca7567f84aca183e7ea9b651a53155317cf6ffa6cf76cea5f83b7929fe47e2395143a4fc707fc4eb5e90c1ed72

Download Submit
C:\Windows\SysWOW64\rkazjowh.exe

Filesize
474KB

MD5
07061ff6ee4be0ab6e72a934a44d006b

SHA1
49cad8a7c2c712249e9b234fc1f669380d6ff7dc

SHA256
858fbe1a30240da64b4abbe20c31d6952b129b0196a934e6e76703bf722a7cad

SHA512
28294fd1437bd8de36ee6411019b90ee5ef28a9b5846ebc00da2f29be8da872c266aa3642cea9da0ea45126c97152383d46536080058dad56e375203dde9d1f4

Download Submit
C:\Windows\SysWOW64\rkazjowh.exe

Filesize
512KB

MD5
4db961424ec45fedbf811c48e4498028

SHA1
f87be0d0b7a5fde435abbcdab6d2994990af2b05

SHA256
27a688e47bca67594d7899fe18755bb8bc16d99d0cb3d50d79e4e67215c9ab77

SHA512
487423a93779cc3b59b85b0edfe62afd842d8ac6d64c1534091bec8c9443f3432ab367c39776085a0a0a4c4d855f9e8d13f47427a36ce1ef5c20f16ff49be046

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
43d7fd245a6a67601188c2077f2f5357

SHA1
6d82fe52dce7f03aebb49716ba0ec68f7f989f83

SHA256
394d02e0a68f6ad04c250f3b2aeb8ab52d31d80fb884010b6bfdab01a92042de

SHA512
450deca44644dc4dd55418506d1294c1a80d79d7b7df36f1bd753992fcd5371923eaa2848d7c9c42bc411e143a4a65d7e03414375610a63eb817396958f67eed

Download Submit
\Windows\SysWOW64\aoqfavambbgsg.exe

Filesize
378KB

MD5
85dc96fa5328e768c7f7d089812ac974

SHA1
de77a17a7db6ca0ab72613ab133c9f59826af148

SHA256
487651f0eacc123aee3d3d311b772461a8b6465248ddd4425c3e870dfa4a0a41

SHA512
202f1603ae5e6dbf41a8efa7440b5671d11412e622c764fa42ed916f76115f4bd71cb9a38fb811b2820cec42b82b1423f4e5a2f908e506ef2e53c9641dab5e79

Download Submit
\Windows\SysWOW64\aunhmneyeu.exe

Filesize
512KB

MD5
0009d14d0634042b71e543c73f74fa41

SHA1
c98f01cfd631d75b07fe2be31080904f4ab26320

SHA256
1223017ca5badb17803f9c863c3ab1c8f8cd80ff5c1fa582e0c72ce034a104e7

SHA512
833ca4a0d9e3cf20dc1f6c907cf51d96186b3f0142bc4e6d0ea49c6026d49c73ebd66dc9bd4bd02c3b4457708a66b2721d2be82721eb1ff819099e742b900dba

Download Submit
\Windows\SysWOW64\hjsjwvtbxcdpbxs.exe

Filesize
478KB

MD5
06157984b527f022238da523ec603f3c

SHA1
210ea3599abd480338aa9f44232658e1ee32abd5

SHA256
c7168c1e463fb13161240b790777daabdd3c32b52f002904b3d2db47742cbe18

SHA512
4cd9ebe1238eead0f397f5ab03472c2efbb1ceb28a9db48800279a5b4d346c2246fc5e53c048357ed4f9e5a4d8e71133a5ab2864463b3a7897e3aec1d67937cc

Download Submit
\Windows\SysWOW64\rkazjowh.exe

Filesize
363KB

MD5
90ea96a2359055a65572d8da65620bc5

SHA1
8b208e3a0d47da718e18307174fc484a64f3fcec

SHA256
9c1e47fd8da070820251aeb2c22bdeadd51ba9af59a9682f3e9f2ca49f375395

SHA512
59f13511232b0e6fcdc73fe2adda6a01f5e7e8da2ca4f44daf0f90a4308155a3f9bd6239f139de2f67292f1de3f8bb22950e3f44738e16e70d7e81d83f73b261

Download Submit
\Windows\SysWOW64\rkazjowh.exe

Filesize
476KB

MD5
36a39bb7c92e9be7b059c5ae58f6ac94

SHA1
2a7964bb91750a6460c01aa9d6135c5d5ede5043

SHA256
3574d9a2b284a82a6339973c133360faceb4790463d70178bf30e5176dd48b04

SHA512
1b95566b0dd514e7b08e8dc69eb80f40fdf526aff3325d983a4a7bea4c87609f1fe1e9592f65a0796af8d0879c5e07981b9c2138d413faa171b650699a596d91

Download Submit
memory/904-79-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/904-103-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1636-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2564-67-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/2696-44-0x000000002FA61000-0x000000002FA62000-memory.dmp

Filesize
4KB

Download
memory/2696-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2696-47-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download
memory/2696-81-0x000000007140D000-0x0000000071418000-memory.dmp

Filesize
44KB

Download