5b570a3df3a2f0a54427482b5280b343d74d9ab555e17ee4017ae065997929c8

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe \"C:\\Windows\\system32\\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\\üþÿÝ×ýÑýü.exe\""	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9394E44-1727-BAB3-22BA-4E4422BA1727}\last-check = "üþÿÝ×ýÑýü.exe"	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9394E44-1727-BAB3-22BA-4E4422BA1727}\last-check7 = "÷ùúØÒøÌø÷\u0090„•\u0090.exe"	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Active Setup\Installed Components\{B9394E44-1727-BAB3-22BA-4E4422BA1727}	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9394E44-1727-BAB3-22BA-4E4422BA1727}\Direktori = "d[}xŠ\u008f…\u0090˜”}t‰†\u008d\u008do†˜}„\u0090\u008f•“\u0090\u008dOœSRfdSQSQNTbfbNRQWZNbSeeNQYQQScTQTQZež"	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{B9394E44-1727-BAB3-22BA-4E4422BA1727}\Direktori = "d[}xŠ\u008f…\u0090˜”}”š”•†ŽTS}‘“Š\u008f•†“OœSSSXbSYQNTbfbNRQWZNbSefNQYQQScTQTQZež"	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	üþÿÝ×ýÑýü.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	üþÿÝ×ýÑýü.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	÷ùúØÒøÌø÷„•.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	üþÿÝ×ýÑýü.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	÷ùúØÒøÌø÷„•.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	üþÿÝ×ýÑýü.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	üþÿÝ×ýÑýü.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	÷ùúØÒøÌø÷„•.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	÷ùúØÒøÌø÷„•.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	÷ùúØÒøÌø÷„•.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	üþÿÝ×ýÑýü.exe

Executes dropped EXE 25 IoCs

pid	Process
1028	÷ùúØÒøÌø÷„•.exe
3472	üþÿÝ×ýÑýü.exe
3772	üþÿÝ×ýÑýü.exe
1052	÷ùúØÒøÌø÷„•.exe
1908	üþÿÝ×ýÑýü.exe
4244	÷ùúØÒøÌø÷„•.exe
4772	üþÿÝ×ýÑýü.exe
4992	÷ùúØÒøÌø÷„•.exe
2568	üþÿÝ×ýÑýü.exe
4312	÷ùúØÒøÌø÷„•.exe
3568	üþÿÝ×ýÑýü.exe
4816	÷ùúØÒøÌø÷„•.exe
4936	÷ùúØÒøÌø÷„•.exe
4156	üþÿÝ×ýÑýü.exe
1020	üþÿÝ×ýÑýü.exe
4680	÷ùúØÒøÌø÷„•.exe
4332	÷ùúØÒøÌø÷„•.exe
2672	üþÿÝ×ýÑýü.exe
5032	÷ùúØÒøÌø÷„•.exe
4900	üþÿÝ×ýÑýü.exe
4460	÷ùúØÒøÌø÷„•.exe
4388	üþÿÝ×ýÑýü.exe
4524	÷ùúØÒøÌø÷„•.exe
3056	üþÿÝ×ýÑýü.exe
3500	÷ùúØÒøÌø÷„•.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1188-0-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/files/0x0007000000023419-7.dat	upx
behavioral2/files/0x0007000000023418-14.dat	upx
behavioral2/memory/3772-21-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1188-24-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3772-27-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1028-29-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3472-36-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4244-52-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1052-73-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4772-71-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2568-96-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4312-102-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1908-101-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4992-124-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4816-132-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4936-135-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3568-148-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4156-153-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4936-203-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4680-218-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1020-233-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/5032-255-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4900-268-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4332-270-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/2672-295-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4524-318-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3056-328-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4460-331-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3500-341-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/4388-343-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\÷ùúØÒøÌø÷„•.exe = "C:\\Windows\\system32\\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\\÷ùúØÒøÌø÷\u0090„•\u0090.exe"	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\mail-buffers	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\mail-sent	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
File opened for modification	C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\control.{21EC2020-3AEA-1069-A2DD-08002B30309D}\mail-buffers	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
File opened for modification	C:\Windows\ShellNew\control.{21EC2020-3AEA-1069-A2DD-08002B30309D}\mail-sent	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
File opened for modification	C:\Windows\ShellNew\control.{21EC2020-3AEA-1069-A2DD-08002B30309D}	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	üþÿÝ×ýÑýü.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	÷ùúØÒøÌø÷„•.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	÷ùúØÒøÌø÷„•.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	üþÿÝ×ýÑýü.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	÷ùúØÒøÌø÷„•.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	÷ùúØÒøÌø÷„•.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	üþÿÝ×ýÑýü.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	üþÿÝ×ýÑýü.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	÷ùúØÒøÌø÷„•.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	üþÿÝ×ýÑýü.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	üþÿÝ×ýÑýü.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	üþÿÝ×ýÑýü.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	÷ùúØÒøÌø÷„•.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3728	WINWORD.EXE
3728	WINWORD.EXE

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
1028	÷ùúØÒøÌø÷„•.exe
3472	üþÿÝ×ýÑýü.exe
3772	üþÿÝ×ýÑýü.exe
1052	÷ùúØÒøÌø÷„•.exe
3728	WINWORD.EXE
3728	WINWORD.EXE
3728	WINWORD.EXE
1908	üþÿÝ×ýÑýü.exe
4244	÷ùúØÒøÌø÷„•.exe
3728	WINWORD.EXE
4772	üþÿÝ×ýÑýü.exe
3728	WINWORD.EXE
3728	WINWORD.EXE
3728	WINWORD.EXE
4992	÷ùúØÒøÌø÷„•.exe
2568	üþÿÝ×ýÑýü.exe
4312	÷ùúØÒøÌø÷„•.exe
3568	üþÿÝ×ýÑýü.exe
4816	÷ùúØÒøÌø÷„•.exe
4936	÷ùúØÒøÌø÷„•.exe
3728	WINWORD.EXE
4156	üþÿÝ×ýÑýü.exe
1020	üþÿÝ×ýÑýü.exe
4680	÷ùúØÒøÌø÷„•.exe
4332	÷ùúØÒøÌø÷„•.exe
2672	üþÿÝ×ýÑýü.exe
5032	÷ùúØÒøÌø÷„•.exe
4900	üþÿÝ×ýÑýü.exe
4460	÷ùúØÒøÌø÷„•.exe
4388	üþÿÝ×ýÑýü.exe
4524	÷ùúØÒøÌø÷„•.exe
3056	üþÿÝ×ýÑýü.exe
3500	÷ùúØÒøÌø÷„•.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 1028	1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe	84
PID 1188 wrote to memory of 1028	1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe	84
PID 1188 wrote to memory of 1028	1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe	84
PID 1188 wrote to memory of 3472	1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe	85
PID 1188 wrote to memory of 3472	1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe	85
PID 1188 wrote to memory of 3472	1188	6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe	85
PID 1028 wrote to memory of 3772	1028	÷ùúØÒøÌø÷„•.exe	86
PID 1028 wrote to memory of 3772	1028	÷ùúØÒøÌø÷„•.exe	86
PID 1028 wrote to memory of 3772	1028	÷ùúØÒøÌø÷„•.exe	86
PID 3472 wrote to memory of 3728	3472	üþÿÝ×ýÑýü.exe	89
PID 3472 wrote to memory of 3728	3472	üþÿÝ×ýÑýü.exe	89
PID 3472 wrote to memory of 1052	3472	üþÿÝ×ýÑýü.exe	90
PID 3472 wrote to memory of 1052	3472	üþÿÝ×ýÑýü.exe	90
PID 3472 wrote to memory of 1052	3472	üþÿÝ×ýÑýü.exe	90
PID 1052 wrote to memory of 1908	1052	÷ùúØÒøÌø÷„•.exe	92
PID 1052 wrote to memory of 1908	1052	÷ùúØÒøÌø÷„•.exe	92
PID 1052 wrote to memory of 1908	1052	÷ùúØÒøÌø÷„•.exe	92
PID 1908 wrote to memory of 4244	1908	üþÿÝ×ýÑýü.exe	93
PID 1908 wrote to memory of 4244	1908	üþÿÝ×ýÑýü.exe	93
PID 1908 wrote to memory of 4244	1908	üþÿÝ×ýÑýü.exe	93
PID 1052 wrote to memory of 2076	1052	÷ùúØÒøÌø÷„•.exe	94
PID 1052 wrote to memory of 2076	1052	÷ùúØÒøÌø÷„•.exe	94
PID 1052 wrote to memory of 4772	1052	÷ùúØÒøÌø÷„•.exe	95
PID 1052 wrote to memory of 4772	1052	÷ùúØÒøÌø÷„•.exe	95
PID 1052 wrote to memory of 4772	1052	÷ùúØÒøÌø÷„•.exe	95
PID 1908 wrote to memory of 4992	1908	üþÿÝ×ýÑýü.exe	96
PID 1908 wrote to memory of 4992	1908	üþÿÝ×ýÑýü.exe	96
PID 1908 wrote to memory of 4992	1908	üþÿÝ×ýÑýü.exe	96
PID 4992 wrote to memory of 2568	4992	÷ùúØÒøÌø÷„•.exe	97
PID 4992 wrote to memory of 2568	4992	÷ùúØÒøÌø÷„•.exe	97
PID 4992 wrote to memory of 2568	4992	÷ùúØÒøÌø÷„•.exe	97
PID 1908 wrote to memory of 3872	1908	üþÿÝ×ýÑýü.exe	98
PID 1908 wrote to memory of 3872	1908	üþÿÝ×ýÑýü.exe	98
PID 1908 wrote to memory of 4312	1908	üþÿÝ×ýÑýü.exe	99
PID 1908 wrote to memory of 4312	1908	üþÿÝ×ýÑýü.exe	99
PID 1908 wrote to memory of 4312	1908	üþÿÝ×ýÑýü.exe	99
PID 4992 wrote to memory of 1360	4992	÷ùúØÒøÌø÷„•.exe	100
PID 4992 wrote to memory of 1360	4992	÷ùúØÒøÌø÷„•.exe	100
PID 4992 wrote to memory of 3568	4992	÷ùúØÒøÌø÷„•.exe	101
PID 4992 wrote to memory of 3568	4992	÷ùúØÒøÌø÷„•.exe	101
PID 4992 wrote to memory of 3568	4992	÷ùúØÒøÌø÷„•.exe	101
PID 3568 wrote to memory of 4816	3568	üþÿÝ×ýÑýü.exe	102
PID 3568 wrote to memory of 4816	3568	üþÿÝ×ýÑýü.exe	102
PID 3568 wrote to memory of 4816	3568	üþÿÝ×ýÑýü.exe	102
PID 3568 wrote to memory of 4556	3568	üþÿÝ×ýÑýü.exe	104
PID 3568 wrote to memory of 4556	3568	üþÿÝ×ýÑýü.exe	104
PID 3568 wrote to memory of 4936	3568	üþÿÝ×ýÑýü.exe	105
PID 3568 wrote to memory of 4936	3568	üþÿÝ×ýÑýü.exe	105
PID 3568 wrote to memory of 4936	3568	üþÿÝ×ýÑýü.exe	105
PID 4936 wrote to memory of 4156	4936	÷ùúØÒøÌø÷„•.exe	106
PID 4936 wrote to memory of 4156	4936	÷ùúØÒøÌø÷„•.exe	106
PID 4936 wrote to memory of 4156	4936	÷ùúØÒøÌø÷„•.exe	106
PID 4936 wrote to memory of 4040	4936	÷ùúØÒøÌø÷„•.exe	108
PID 4936 wrote to memory of 4040	4936	÷ùúØÒøÌø÷„•.exe	108
PID 4936 wrote to memory of 1020	4936	÷ùúØÒøÌø÷„•.exe	109
PID 4936 wrote to memory of 1020	4936	÷ùúØÒøÌø÷„•.exe	109
PID 4936 wrote to memory of 1020	4936	÷ùúØÒøÌø÷„•.exe	109
PID 1020 wrote to memory of 4680	1020	üþÿÝ×ýÑýü.exe	128
PID 1020 wrote to memory of 4680	1020	üþÿÝ×ýÑýü.exe	128
PID 1020 wrote to memory of 4680	1020	üþÿÝ×ýÑýü.exe	128
PID 1020 wrote to memory of 2456	1020	üþÿÝ×ýÑýü.exe	111
PID 1020 wrote to memory of 2456	1020	üþÿÝ×ýÑýü.exe	111
PID 1020 wrote to memory of 4332	1020	üþÿÝ×ýÑýü.exe	112
PID 1020 wrote to memory of 4332	1020	üþÿÝ×ýÑýü.exe	112

C:\Users\Admin\AppData\Local\Temp\6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe
"C:\Users\Admin\AppData\Local\Temp\6690204ed0041210274e149fd7aa719b242cbc25a046bf5274c26bfb0c7feb47.exe"
1⤵
- Modifies WinLogon for persistence
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3772
- C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
  C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:3728
- - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
    C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1908
    - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4244
    - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2568
      - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        6⤵
        
        PID:1360
      - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4816
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4156
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        8⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        9⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        11⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4460
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:4388
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        13⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3500
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        12⤵
        
        PID:324
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        10⤵
        
        PID:848
        
        C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4900
    - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
        5⤵
        
        PID:3872
    - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\÷ùúØÒøÌø÷„•.exe
        
        C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\÷ùúØÒøÌø÷„•.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4312
  - - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\the [K]angen is back.doc" /o ""
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}\üþÿÝ×ýÑýü.exe
      C:\Windows\system32\printer.{2227A280-3AEA-1069-A2DE-08002B30309D}.\üþÿÝ×ýÑýü.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery