f629280bd3147000718ec60d7e6fbdd26f36580c15c6d903b8c6f1e27ae857da

Analysis

max time kernel
156s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22ed4e3f3bf70565d7b06ac317f93aec.exe
Size

512KB
MD5

22ed4e3f3bf70565d7b06ac317f93aec
SHA1

f6efda263c340f6d560aac158b82dffafe110794
SHA256

f629280bd3147000718ec60d7e6fbdd26f36580c15c6d903b8c6f1e27ae857da
SHA512

b49c958bd6b3d3d06e74ac52c2c4fe4ed7659373f09fb74767224e85e2191e6ca8738ee38a463f97b63de15111c7a255066b1cecf95a1dc93aaca4c0f0ae0c38
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	knklgogmsh.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	knklgogmsh.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	knklgogmsh.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	knklgogmsh.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2828	knklgogmsh.exe
2664	npmasbjixesxztw.exe
2856	gcpqkvan.exe
2860	topxyygvfllyi.exe
2552	gcpqkvan.exe

Loads dropped DLL 5 IoCs

pid	Process
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2828	knklgogmsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	knklgogmsh.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pjvubbxh = "knklgogmsh.exe"	npmasbjixesxztw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzkndbrj = "npmasbjixesxztw.exe"	npmasbjixesxztw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "topxyygvfllyi.exe"	npmasbjixesxztw.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	knklgogmsh.exe
File opened (read-only)	\??\j:	gcpqkvan.exe
File opened (read-only)	\??\o:	gcpqkvan.exe
File opened (read-only)	\??\q:	gcpqkvan.exe
File opened (read-only)	\??\z:	gcpqkvan.exe
File opened (read-only)	\??\l:	knklgogmsh.exe
File opened (read-only)	\??\i:	knklgogmsh.exe
File opened (read-only)	\??\j:	knklgogmsh.exe
File opened (read-only)	\??\w:	knklgogmsh.exe
File opened (read-only)	\??\s:	gcpqkvan.exe
File opened (read-only)	\??\l:	gcpqkvan.exe
File opened (read-only)	\??\x:	gcpqkvan.exe
File opened (read-only)	\??\n:	knklgogmsh.exe
File opened (read-only)	\??\u:	knklgogmsh.exe
File opened (read-only)	\??\r:	gcpqkvan.exe
File opened (read-only)	\??\g:	knklgogmsh.exe
File opened (read-only)	\??\w:	gcpqkvan.exe
File opened (read-only)	\??\a:	gcpqkvan.exe
File opened (read-only)	\??\j:	gcpqkvan.exe
File opened (read-only)	\??\n:	gcpqkvan.exe
File opened (read-only)	\??\h:	knklgogmsh.exe
File opened (read-only)	\??\o:	knklgogmsh.exe
File opened (read-only)	\??\v:	knklgogmsh.exe
File opened (read-only)	\??\i:	gcpqkvan.exe
File opened (read-only)	\??\e:	gcpqkvan.exe
File opened (read-only)	\??\q:	gcpqkvan.exe
File opened (read-only)	\??\x:	knklgogmsh.exe
File opened (read-only)	\??\v:	gcpqkvan.exe
File opened (read-only)	\??\a:	gcpqkvan.exe
File opened (read-only)	\??\m:	gcpqkvan.exe
File opened (read-only)	\??\o:	gcpqkvan.exe
File opened (read-only)	\??\u:	gcpqkvan.exe
File opened (read-only)	\??\z:	gcpqkvan.exe
File opened (read-only)	\??\g:	gcpqkvan.exe
File opened (read-only)	\??\p:	gcpqkvan.exe
File opened (read-only)	\??\m:	gcpqkvan.exe
File opened (read-only)	\??\r:	gcpqkvan.exe
File opened (read-only)	\??\t:	gcpqkvan.exe
File opened (read-only)	\??\e:	knklgogmsh.exe
File opened (read-only)	\??\y:	knklgogmsh.exe
File opened (read-only)	\??\y:	gcpqkvan.exe
File opened (read-only)	\??\s:	gcpqkvan.exe
File opened (read-only)	\??\v:	gcpqkvan.exe
File opened (read-only)	\??\h:	gcpqkvan.exe
File opened (read-only)	\??\k:	gcpqkvan.exe
File opened (read-only)	\??\x:	gcpqkvan.exe
File opened (read-only)	\??\e:	gcpqkvan.exe
File opened (read-only)	\??\p:	gcpqkvan.exe
File opened (read-only)	\??\k:	knklgogmsh.exe
File opened (read-only)	\??\l:	gcpqkvan.exe
File opened (read-only)	\??\h:	gcpqkvan.exe
File opened (read-only)	\??\r:	knklgogmsh.exe
File opened (read-only)	\??\s:	knklgogmsh.exe
File opened (read-only)	\??\b:	gcpqkvan.exe
File opened (read-only)	\??\n:	gcpqkvan.exe
File opened (read-only)	\??\g:	gcpqkvan.exe
File opened (read-only)	\??\k:	gcpqkvan.exe
File opened (read-only)	\??\w:	gcpqkvan.exe
File opened (read-only)	\??\m:	knklgogmsh.exe
File opened (read-only)	\??\q:	knklgogmsh.exe
File opened (read-only)	\??\t:	gcpqkvan.exe
File opened (read-only)	\??\p:	knklgogmsh.exe
File opened (read-only)	\??\b:	gcpqkvan.exe
File opened (read-only)	\??\i:	gcpqkvan.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	knklgogmsh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	knklgogmsh.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000e0000000126a2-5.dat	autoit_exe
behavioral1/files/0x000b00000001225f-17.dat	autoit_exe
behavioral1/files/0x000e0000000126a2-23.dat	autoit_exe
behavioral1/files/0x0031000000015d99-29.dat	autoit_exe
behavioral1/files/0x000e0000000126a2-26.dat	autoit_exe
behavioral1/files/0x000b00000001225f-22.dat	autoit_exe
behavioral1/files/0x000e0000000126a2-28.dat	autoit_exe
behavioral1/files/0x0031000000015d99-32.dat	autoit_exe
behavioral1/files/0x000700000001603c-33.dat	autoit_exe
behavioral1/files/0x000700000001603c-37.dat	autoit_exe
behavioral1/files/0x000700000001603c-40.dat	autoit_exe
behavioral1/files/0x0031000000015d99-41.dat	autoit_exe
behavioral1/files/0x0031000000015d99-43.dat	autoit_exe
behavioral1/files/0x000600000001753f-73.dat	autoit_exe
behavioral1/files/0x0005000000018675-77.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\topxyygvfllyi.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File opened for modification	C:\Windows\SysWOW64\knklgogmsh.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File created	C:\Windows\SysWOW64\gcpqkvan.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File opened for modification	C:\Windows\SysWOW64\gcpqkvan.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File created	C:\Windows\SysWOW64\topxyygvfllyi.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File created	C:\Windows\SysWOW64\knklgogmsh.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File created	C:\Windows\SysWOW64\npmasbjixesxztw.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File opened for modification	C:\Windows\SysWOW64\npmasbjixesxztw.exe	22ed4e3f3bf70565d7b06ac317f93aec.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	knklgogmsh.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gcpqkvan.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gcpqkvan.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gcpqkvan.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gcpqkvan.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gcpqkvan.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gcpqkvan.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gcpqkvan.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gcpqkvan.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	22ed4e3f3bf70565d7b06ac317f93aec.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	22ed4e3f3bf70565d7b06ac317f93aec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBF9CBF960F19884083B4386EA3998B3FE02F142120248E2C4459D09D4"	22ed4e3f3bf70565d7b06ac317f93aec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	knklgogmsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF5FF884F5B82199031D62E7D92BC92E134594B67346237D79D"	22ed4e3f3bf70565d7b06ac317f93aec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	knklgogmsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	knklgogmsh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	knklgogmsh.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC77B1596DAB5B8C07CE6ECE734BC"	22ed4e3f3bf70565d7b06ac317f93aec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2908	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2552	gcpqkvan.exe
2552	gcpqkvan.exe
2552	gcpqkvan.exe
2552	gcpqkvan.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2664	npmasbjixesxztw.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2628	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe
Token: SeShutdownPrivilege	2264	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2552	gcpqkvan.exe
2552	gcpqkvan.exe
2552	gcpqkvan.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2172	22ed4e3f3bf70565d7b06ac317f93aec.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2828	knklgogmsh.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2664	npmasbjixesxztw.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2860	topxyygvfllyi.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2856	gcpqkvan.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2628	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe
2264	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	WINWORD.EXE
2908	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2828	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	28
PID 2172 wrote to memory of 2828	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	28
PID 2172 wrote to memory of 2828	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	28
PID 2172 wrote to memory of 2828	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	28
PID 2172 wrote to memory of 2664	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	30
PID 2172 wrote to memory of 2664	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	30
PID 2172 wrote to memory of 2664	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	30
PID 2172 wrote to memory of 2664	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	30
PID 2172 wrote to memory of 2856	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	29
PID 2172 wrote to memory of 2856	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	29
PID 2172 wrote to memory of 2856	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	29
PID 2172 wrote to memory of 2856	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	29
PID 2172 wrote to memory of 2860	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	31
PID 2172 wrote to memory of 2860	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	31
PID 2172 wrote to memory of 2860	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	31
PID 2172 wrote to memory of 2860	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	31
PID 2828 wrote to memory of 2552	2828	knklgogmsh.exe	33
PID 2828 wrote to memory of 2552	2828	knklgogmsh.exe	33
PID 2828 wrote to memory of 2552	2828	knklgogmsh.exe	33
PID 2828 wrote to memory of 2552	2828	knklgogmsh.exe	33
PID 2172 wrote to memory of 2908	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	34
PID 2172 wrote to memory of 2908	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	34
PID 2172 wrote to memory of 2908	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	34
PID 2172 wrote to memory of 2908	2172	22ed4e3f3bf70565d7b06ac317f93aec.exe	34
PID 2908 wrote to memory of 1160	2908	WINWORD.EXE	39
PID 2908 wrote to memory of 1160	2908	WINWORD.EXE	39
PID 2908 wrote to memory of 1160	2908	WINWORD.EXE	39
PID 2908 wrote to memory of 1160	2908	WINWORD.EXE	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\22ed4e3f3bf70565d7b06ac317f93aec.exe
"C:\Users\Admin\AppData\Local\Temp\22ed4e3f3bf70565d7b06ac317f93aec.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\knklgogmsh.exe
  knklgogmsh.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\gcpqkvan.exe
    C:\Windows\system32\gcpqkvan.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2552
- C:\Windows\SysWOW64\gcpqkvan.exe
  gcpqkvan.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2856
- C:\Windows\SysWOW64\npmasbjixesxztw.exe
  npmasbjixesxztw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2664
- C:\Windows\SysWOW64\topxyygvfllyi.exe
  topxyygvfllyi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2860
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1160

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
985fc60a03c8c77c1d388c721772c181

SHA1
096bfdf55a527fe8ed049c7b638b3e2102113ec2

SHA256
5320c96885b5c7c76d6ea67a64eb7a5ca62b48b302c774ac058a7916913a2113

SHA512
e45a52e89da3cdcfaeea5f9a1711ddd643c8641bd68bd13c7623bb20501c08733b25164fae8e3544edb6ab308db46208ae391fec643dc2e6d185d8290dcd31ad

Download Submit
C:\Users\Admin\AppData\Roaming\MoveClose.doc.exe

Filesize
512KB

MD5
ae06c2b6a76dcdc39eb8f83b530d9e45

SHA1
9d538ab202e6d384012b5151baaef4a369080a89

SHA256
a03ddcc463f655e59f55e5ec77712b5863f86830ae1be700ecab34cba3a1d85d

SHA512
2e24ecc0bbb244e3be486a3db755a2863d60910198edd74a03ea81e87262bf60877d8481cfb39d903e2c74e82a163334315d027b70bdb9ca696274b25f0dc12c

Download Submit
C:\Windows\SysWOW64\gcpqkvan.exe

Filesize
55KB

MD5
98da9368a470ab71beb58b1b89b762c6

SHA1
2eb68e38e36b367cd315e9832ff5be2a43402d2c

SHA256
b7351fbb246f10feb7596d28aa2a29cc295e464ae41d965da8227f5d3e3449f4

SHA512
994159af2a45a58d60a4d39056dff5a613c4d4338d9345e51883759abdc3a80fafdbca68da3ecaa0fb1802f35ed03f669c7acf69b3d59496f2f7d4ede41ddf99

Download Submit
C:\Windows\SysWOW64\gcpqkvan.exe

Filesize
79KB

MD5
5e863b29afe7ef7aaae5b3fda13afc86

SHA1
b405100c211d1fb9a3338a19ef252027172b1127

SHA256
4c5548079d892eb098ed6f560915ec105a06fb5bd23db3f98beedcbc7ad53052

SHA512
561582918dc045b0d468168b29bc243f800fbc1abb0244cf4bda6819568d7bdf6b7f091bdb1d7833e7740373227e56ef095061c7787c4e67428db273e9c9ce08

Download Submit
C:\Windows\SysWOW64\gcpqkvan.exe

Filesize
512KB

MD5
08602bfd930efb60dcd06bae2bba7aad

SHA1
dd9ea9e77977b9e42dcd58d02f8d11f3c3b349ac

SHA256
6522881ef4b526951d0ce52a288d53d63d90b20f0126f5d03c4a3eac4704f997

SHA512
aa2fe6132d81d48fd593633926484a978fea993ce503022ef551c880710cfa451e6631bb5465792012bcf8adf6225c900f22e7752317f18d95ac64d0af6e26af

Download Submit
C:\Windows\SysWOW64\knklgogmsh.exe

Filesize
212KB

MD5
259d8c4ed400fe6471744a5c925383d0

SHA1
9c37f94ba5a9af30a5adaaa3a81533307e746348

SHA256
c38016f312fa78cdcbd1b8ece788a8f8b28ac72820022e8dd58078946d78eeaf

SHA512
4dec25d5ed2896ed3efb2b79112d4c51b2666205e46cc9df987b2bfbb4e59b4eb3883109b7f3b6064f823b798096c7999044bbc6e7396bca8a68786bf0cdd0ab

Download Submit
C:\Windows\SysWOW64\npmasbjixesxztw.exe

Filesize
154KB

MD5
93843b3a39e1a4e006dcb331afdcef8c

SHA1
ba17c68915b3223cd5641e536ec6295442b68735

SHA256
88b51c2d84ba38fef5c146021fcff0a4f95f1b444e1774249e748e93ac4458b3

SHA512
e3566e8fadbf0149d4a5da316fad3b00416fca62b473511415c2cd514391eeb485a855464c0172120ea8c9eadaed7dba7e2f78af981f8ba34e71f2eddde48adc

Download Submit
C:\Windows\SysWOW64\npmasbjixesxztw.exe

Filesize
66KB

MD5
c142c17c37df3ff9890c58c9a3ab0d11

SHA1
2177cc5231ec445013005e7e667b48c41d1aa2c4

SHA256
c06deea0ef05e13b21510bf49ca18069b1f3f895a6f350d5df3da40761221f73

SHA512
3537d741f197846f09a04a675ae1058d45b8892abc8067ca1c44fb188d2460849f0ffdb6efd677617cb70784b0b11c2a9391f97d4dcc424b86a10a2869a57d4b

Download Submit
C:\Windows\SysWOW64\npmasbjixesxztw.exe

Filesize
512KB

MD5
b7f0937b1273d1a7843309c2365bae36

SHA1
1892f2fc267347d26aea99aa7782bc8cecd70dda

SHA256
c504fccf1398f71e917a57a216cd335ef792a00f39a7c27d3f59caf1c589c577

SHA512
c232765e54c2bdb345ac09a51729434909aaaf54880ec10faa4e75ab467dec108259252bc92b92503dc3646bea7df9164d682fee9f98ce66d958f87dd208790c

Download Submit
C:\Windows\SysWOW64\topxyygvfllyi.exe

Filesize
86KB

MD5
c7deae8a410fc9af44e192bf002bb163

SHA1
52d5a0e4073c15d74ac309dae039ade1d52dec27

SHA256
6aa38368d4a4e4eb01c2ca6506e39768f324b3dbcf6b356c46bb909befda4a88

SHA512
61a5689603e51890415db16cd294563182e1ccd372034677b9f4f83dd2aef0a94ddc569e3b8abd7641a363336e83b6dbc90acd1c06e3dafd800c83f2c40f0346

Download Submit
C:\Windows\SysWOW64\topxyygvfllyi.exe

Filesize
39KB

MD5
32a346a366ceb4c4d9950e0ee8ca9442

SHA1
b741233d3cc598d1fec0f96cd33c66dd134448c1

SHA256
d20c5037f6495344334b30d636ec468d7371796577d7d014a914e4893d866fef

SHA512
444608a82f7db2a9efc68eaff5e63583bf9922ef8b2f0137443e0651dec1f56fa63101f3bdf79225f3b725d5a8b12f65e014d7089a52cbf275ca4b4430c938e2

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gcpqkvan.exe

Filesize
251KB

MD5
94e58585be1acfc67c4a264e6492be6b

SHA1
d4cd322aa2ff59b138959a9f8e0dc92c935660b3

SHA256
3c884dfe16636fccfee9e7c944aa157a6f1b74268e944574093d6c833ce26f22

SHA512
12a1c02f911376d4af9a9aeb0320c5a8ccf1ec4be24719b820d8271493b38e8cb3e37ace41561feea88498872207639fa1b4ed0f844efc1fb1be544e0f70fc4d

Download Submit
\Windows\SysWOW64\knklgogmsh.exe

Filesize
512KB

MD5
4ef6326fb2ad00c3f825875781f9d260

SHA1
ea7841484decb17f97d8a82ddcb789afb264524a

SHA256
779b37ee9b7e8ccd392584b8accfa9ab3c1f372c7257fc77372374b0a16c5ca8

SHA512
4741a1efdefe2c13cdd77848da6d43ec19bef4dc5d08d201a94b8e55711cbf50c71a5f13c73a22514405432b88daa720089e898c6997667865943951a10d3524

Download Submit
\Windows\SysWOW64\npmasbjixesxztw.exe

Filesize
266KB

MD5
450a216a2da65be72a5353b283a2dc60

SHA1
238df0e1ea17bc0b03e4a122e0c229e3b24c874e

SHA256
91296d3175a222521a87c984cd28e6c9cb4af73b2b5cc1b2cce9d9c6b8b65f45

SHA512
c244f73ac98e96e978168aef844002120cb857f79d8a628e1aa75b4d14d81337b22373e9b575ff96914167cf815262ff7a4f41fe0b215027971857b9dc357329

Download Submit
\Windows\SysWOW64\topxyygvfllyi.exe

Filesize
183KB

MD5
ff53324f679db7c844f1959bcfd3d8ad

SHA1
f95f8e909e24e2fff0e3561fb5a45020669b153c

SHA256
5aa135f6c0d559fa6420f63d70e9cd1441947455e79701b3302f048d1518303e

SHA512
20d95d499720f04fa6efe54760c88fe82b6abe34df69bf5ad87fb3f1f7eefe69252f7fc65af251a285fcdee6a890e14f430fc615c520e485fd0bb4442be340bf

Download Submit
memory/2172-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2264-82-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/2264-87-0x0000000003970000-0x0000000003980000-memory.dmp

Filesize
64KB

Download
memory/2264-75-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download
memory/2628-67-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/2908-47-0x0000000070D5D000-0x0000000070D68000-memory.dmp

Filesize
44KB

Download
memory/2908-80-0x0000000070D5D000-0x0000000070D68000-memory.dmp

Filesize
44KB

Download
memory/2908-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2908-45-0x000000002FC51000-0x000000002FC52000-memory.dmp

Filesize
4KB

Download