b24639c9e5eda15b98c47d33d5432b558a8d0af5cb2e3fd8c288763a61b4c9de

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01c7d88acd3c1d39384d04c2b1066b1a.exe
Size

512KB
MD5

01c7d88acd3c1d39384d04c2b1066b1a
SHA1

afb440656640e6dc77a3171aa7ec8cd71d87cc25
SHA256

b24639c9e5eda15b98c47d33d5432b558a8d0af5cb2e3fd8c288763a61b4c9de
SHA512

a6772660f80f98e04cef0f7d7ce768a6f66641500b6d81a020042b46ae2faeb1654ddde11552684333cd021978835e7906c72a65e23468fca7bd8e8b2a92e6ef
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tzzoasuzai.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tzzoasuzai.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tzzoasuzai.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tzzoasuzai.exe

Executes dropped EXE 6 IoCs

pid	Process
1164	tzzoasuzai.exe
2988	dadqzjxvojwjzvc.exe
3032	npphxyby.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2596	npphxyby.exe

Loads dropped DLL 6 IoCs

pid	Process
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2672	cmd.exe
1164	tzzoasuzai.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tzzoasuzai.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oxltoomg = "tzzoasuzai.exe"	dadqzjxvojwjzvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ctjfvziy = "dadqzjxvojwjzvc.exe"	dadqzjxvojwjzvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vhimrgmvqmrtq.exe"	dadqzjxvojwjzvc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	npphxyby.exe
File opened (read-only)	\??\z:	npphxyby.exe
File opened (read-only)	\??\r:	npphxyby.exe
File opened (read-only)	\??\j:	tzzoasuzai.exe
File opened (read-only)	\??\n:	tzzoasuzai.exe
File opened (read-only)	\??\p:	tzzoasuzai.exe
File opened (read-only)	\??\z:	tzzoasuzai.exe
File opened (read-only)	\??\x:	npphxyby.exe
File opened (read-only)	\??\e:	tzzoasuzai.exe
File opened (read-only)	\??\g:	npphxyby.exe
File opened (read-only)	\??\h:	npphxyby.exe
File opened (read-only)	\??\l:	npphxyby.exe
File opened (read-only)	\??\s:	npphxyby.exe
File opened (read-only)	\??\y:	npphxyby.exe
File opened (read-only)	\??\p:	npphxyby.exe
File opened (read-only)	\??\n:	npphxyby.exe
File opened (read-only)	\??\z:	npphxyby.exe
File opened (read-only)	\??\i:	tzzoasuzai.exe
File opened (read-only)	\??\v:	tzzoasuzai.exe
File opened (read-only)	\??\w:	tzzoasuzai.exe
File opened (read-only)	\??\y:	tzzoasuzai.exe
File opened (read-only)	\??\e:	npphxyby.exe
File opened (read-only)	\??\h:	tzzoasuzai.exe
File opened (read-only)	\??\l:	tzzoasuzai.exe
File opened (read-only)	\??\i:	npphxyby.exe
File opened (read-only)	\??\n:	npphxyby.exe
File opened (read-only)	\??\m:	npphxyby.exe
File opened (read-only)	\??\o:	tzzoasuzai.exe
File opened (read-only)	\??\r:	tzzoasuzai.exe
File opened (read-only)	\??\b:	npphxyby.exe
File opened (read-only)	\??\k:	npphxyby.exe
File opened (read-only)	\??\m:	npphxyby.exe
File opened (read-only)	\??\y:	npphxyby.exe
File opened (read-only)	\??\a:	tzzoasuzai.exe
File opened (read-only)	\??\q:	npphxyby.exe
File opened (read-only)	\??\j:	npphxyby.exe
File opened (read-only)	\??\a:	npphxyby.exe
File opened (read-only)	\??\k:	tzzoasuzai.exe
File opened (read-only)	\??\o:	npphxyby.exe
File opened (read-only)	\??\r:	npphxyby.exe
File opened (read-only)	\??\i:	npphxyby.exe
File opened (read-only)	\??\o:	npphxyby.exe
File opened (read-only)	\??\u:	tzzoasuzai.exe
File opened (read-only)	\??\j:	npphxyby.exe
File opened (read-only)	\??\s:	npphxyby.exe
File opened (read-only)	\??\t:	npphxyby.exe
File opened (read-only)	\??\u:	npphxyby.exe
File opened (read-only)	\??\g:	tzzoasuzai.exe
File opened (read-only)	\??\m:	tzzoasuzai.exe
File opened (read-only)	\??\s:	tzzoasuzai.exe
File opened (read-only)	\??\h:	npphxyby.exe
File opened (read-only)	\??\q:	tzzoasuzai.exe
File opened (read-only)	\??\l:	npphxyby.exe
File opened (read-only)	\??\p:	npphxyby.exe
File opened (read-only)	\??\q:	npphxyby.exe
File opened (read-only)	\??\x:	npphxyby.exe
File opened (read-only)	\??\x:	tzzoasuzai.exe
File opened (read-only)	\??\u:	npphxyby.exe
File opened (read-only)	\??\e:	npphxyby.exe
File opened (read-only)	\??\w:	npphxyby.exe
File opened (read-only)	\??\a:	npphxyby.exe
File opened (read-only)	\??\g:	npphxyby.exe
File opened (read-only)	\??\w:	npphxyby.exe
File opened (read-only)	\??\b:	tzzoasuzai.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	tzzoasuzai.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	tzzoasuzai.exe

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2544-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b00000001345a-5.dat	autoit_exe
behavioral1/files/0x000c000000011fde-17.dat	autoit_exe
behavioral1/files/0x000b00000001345a-21.dat	autoit_exe
behavioral1/files/0x000b00000001345a-32.dat	autoit_exe
behavioral1/files/0x000900000001410b-40.dat	autoit_exe
behavioral1/files/0x00070000000141d3-43.dat	autoit_exe
behavioral1/files/0x00070000000141d3-42.dat	autoit_exe
behavioral1/files/0x00070000000141d3-41.dat	autoit_exe
behavioral1/files/0x000900000001410b-46.dat	autoit_exe
behavioral1/files/0x000900000001410b-45.dat	autoit_exe
behavioral1/files/0x00070000000141d3-38.dat	autoit_exe
behavioral1/files/0x00070000000141d3-34.dat	autoit_exe
behavioral1/files/0x000c000000011fde-33.dat	autoit_exe
behavioral1/files/0x000900000001410b-30.dat	autoit_exe
behavioral1/files/0x000900000001410b-27.dat	autoit_exe
behavioral1/files/0x000b00000001345a-25.dat	autoit_exe
behavioral1/files/0x000c000000011fde-20.dat	autoit_exe
behavioral1/files/0x0006000000014ec0-75.dat	autoit_exe
behavioral1/files/0x0006000000014b64-69.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tzzoasuzai.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File created	C:\Windows\SysWOW64\dadqzjxvojwjzvc.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File opened for modification	C:\Windows\SysWOW64\dadqzjxvojwjzvc.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File opened for modification	C:\Windows\SysWOW64\npphxyby.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File created	C:\Windows\SysWOW64\tzzoasuzai.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File created	C:\Windows\SysWOW64\npphxyby.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File created	C:\Windows\SysWOW64\vhimrgmvqmrtq.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File opened for modification	C:\Windows\SysWOW64\vhimrgmvqmrtq.exe	01c7d88acd3c1d39384d04c2b1066b1a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	tzzoasuzai.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npphxyby.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npphxyby.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	npphxyby.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	npphxyby.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npphxyby.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	npphxyby.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npphxyby.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	npphxyby.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	01c7d88acd3c1d39384d04c2b1066b1a.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	tzzoasuzai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	tzzoasuzai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	tzzoasuzai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	tzzoasuzai.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC5B02A44EE39EA52BDB9A232E8D4CF"	01c7d88acd3c1d39384d04c2b1066b1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78768C4FE6822DCD27FD0A18A749114"	01c7d88acd3c1d39384d04c2b1066b1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC7751591DAC4B9B97F97ED9737B9"	01c7d88acd3c1d39384d04c2b1066b1a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2460	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
3032	npphxyby.exe
3032	npphxyby.exe
3032	npphxyby.exe
3032	npphxyby.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2596	npphxyby.exe
2596	npphxyby.exe
2596	npphxyby.exe
2596	npphxyby.exe
2988	dadqzjxvojwjzvc.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2988	dadqzjxvojwjzvc.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2988	dadqzjxvojwjzvc.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2988	dadqzjxvojwjzvc.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2988	dadqzjxvojwjzvc.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
3032	npphxyby.exe
3032	npphxyby.exe
3032	npphxyby.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2596	npphxyby.exe
2596	npphxyby.exe
2596	npphxyby.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2544	01c7d88acd3c1d39384d04c2b1066b1a.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
2988	dadqzjxvojwjzvc.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
1164	tzzoasuzai.exe
3032	npphxyby.exe
3032	npphxyby.exe
3032	npphxyby.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2664	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2840	vhimrgmvqmrtq.exe
2596	npphxyby.exe
2596	npphxyby.exe
2596	npphxyby.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	WINWORD.EXE
2460	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1164	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	38
PID 2544 wrote to memory of 1164	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	38
PID 2544 wrote to memory of 1164	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	38
PID 2544 wrote to memory of 1164	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	38
PID 2544 wrote to memory of 2988	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	37
PID 2544 wrote to memory of 2988	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	37
PID 2544 wrote to memory of 2988	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	37
PID 2544 wrote to memory of 2988	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	37
PID 2544 wrote to memory of 3032	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	36
PID 2544 wrote to memory of 3032	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	36
PID 2544 wrote to memory of 3032	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	36
PID 2544 wrote to memory of 3032	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	36
PID 2988 wrote to memory of 2672	2988	dadqzjxvojwjzvc.exe	35
PID 2988 wrote to memory of 2672	2988	dadqzjxvojwjzvc.exe	35
PID 2988 wrote to memory of 2672	2988	dadqzjxvojwjzvc.exe	35
PID 2988 wrote to memory of 2672	2988	dadqzjxvojwjzvc.exe	35
PID 2544 wrote to memory of 2664	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	33
PID 2544 wrote to memory of 2664	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	33
PID 2544 wrote to memory of 2664	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	33
PID 2544 wrote to memory of 2664	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	33
PID 2672 wrote to memory of 2840	2672	cmd.exe	31
PID 2672 wrote to memory of 2840	2672	cmd.exe	31
PID 2672 wrote to memory of 2840	2672	cmd.exe	31
PID 2672 wrote to memory of 2840	2672	cmd.exe	31
PID 1164 wrote to memory of 2596	1164	tzzoasuzai.exe	30
PID 1164 wrote to memory of 2596	1164	tzzoasuzai.exe	30
PID 1164 wrote to memory of 2596	1164	tzzoasuzai.exe	30
PID 1164 wrote to memory of 2596	1164	tzzoasuzai.exe	30
PID 2544 wrote to memory of 2460	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	29
PID 2544 wrote to memory of 2460	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	29
PID 2544 wrote to memory of 2460	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	29
PID 2544 wrote to memory of 2460	2544	01c7d88acd3c1d39384d04c2b1066b1a.exe	29
PID 2460 wrote to memory of 2500	2460	WINWORD.EXE	39
PID 2460 wrote to memory of 2500	2460	WINWORD.EXE	39
PID 2460 wrote to memory of 2500	2460	WINWORD.EXE	39
PID 2460 wrote to memory of 2500	2460	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\01c7d88acd3c1d39384d04c2b1066b1a.exe
"C:\Users\Admin\AppData\Local\Temp\01c7d88acd3c1d39384d04c2b1066b1a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2500
- C:\Windows\SysWOW64\vhimrgmvqmrtq.exe
  vhimrgmvqmrtq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2664
- C:\Windows\SysWOW64\npphxyby.exe
  npphxyby.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3032
- C:\Windows\SysWOW64\dadqzjxvojwjzvc.exe
  dadqzjxvojwjzvc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2988
- C:\Windows\SysWOW64\tzzoasuzai.exe
  tzzoasuzai.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1164

C:\Windows\SysWOW64\npphxyby.exe
C:\Windows\system32\npphxyby.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596

C:\Windows\SysWOW64\vhimrgmvqmrtq.exe
vhimrgmvqmrtq.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2840

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vhimrgmvqmrtq.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
15KB

MD5
e69b83f27a504484757f2d4aee706125

SHA1
670480b7fa0581e39d265b9a55232bdbe360612b

SHA256
370faa37432292ae087c24e5b8715cd896fb9a6c1d3cf8872338138c2658bf87

SHA512
c26b10f8f733a59d04629151f389151f256b69ae9c5bdf4b5dd78d763f34e4eefbda300b24062314d4df2bb6aa052c97891ff2a80d7050135c9636dee91807a8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
28KB

MD5
b246888f0e026cfcc81d9847260429d0

SHA1
afe7fac85a6d7411efbfebadbf73e5ef8ff6410e

SHA256
8e6915b21e604da76333a9959793d3307831feb90eba2ee954f2d92b4c2b60e3

SHA512
2ccd40e09685f70daf039289a77cb7a27541719f694532d1e67a43779b8965b2a198772438dede0652c9369c350d85fb59df19b94147e6245c5037e441567b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6edd3deb30154a19d363f56d146cda82

SHA1
7e80b4c41647c47f934450361f328ae2a6819cca

SHA256
850821c1a1913b4f12946f110ac826314c2b2a446c76cb9c8a52de54d66544cf

SHA512
86a391c4d9644f8a7667313bf0e64d97221f32c800e58b4d9c4dc7c5b8ff08420f2f067f4da11f2a5a41442e5ec6480974c7dad75458f5ef4ae562a9a9f355e7

Download Submit
C:\Windows\SysWOW64\dadqzjxvojwjzvc.exe

Filesize
231KB

MD5
f1631aecd775d38890547f4e6ef8ec71

SHA1
108d69a273b8bd2a507139c585ebbbe25ad90bca

SHA256
7936fa8eba4f665704dc983af933aa1b746f40a493c88b3cbfdf4a4cdd101864

SHA512
6c6a9737eb5abd41f6a9d74cd44aa3bdd30a4e94d060e59efc3f90380fe6439c2fde1f5abcb582c5214878a2b04eaeea0aa74d40a8a77d4b64e0e2ce77c45292

Download Submit
C:\Windows\SysWOW64\dadqzjxvojwjzvc.exe

Filesize
148KB

MD5
938741f1e46b1bbcf7f217b6eaf86bca

SHA1
27b0424e6d4b5216bbc66ac03e8c678d2978b40b

SHA256
c6ff2c3216c4c777281bcf5c84c4c3efa5d5f49ae6fd1355d60401424173a3d4

SHA512
9efd82534d02138ff0cd5d88629d03dd6d48c9dca5f73b8327af845a80fffb0fa65452d3070495c8308536cdea855a30376ddcd084007f3fd80e35915f66aafc

Download Submit
C:\Windows\SysWOW64\dadqzjxvojwjzvc.exe

Filesize
24KB

MD5
aa35eb0d463fdc3d207d4db5d688368a

SHA1
36bfd6abc00256d2733df0b30889238edca0cff3

SHA256
626e700513ec148a1b86b41f6cce5a82c11b0cc379cd9bcd08f6eac199d04d6b

SHA512
9c85715608f6e5efb2a8ecf547d876e0a620861f7803858952912c0e0a9336e997c85e9091ff761b3f0e02cd81ef4bb89a1a8669a7ae6faf5a55588456d9ea80

Download Submit
C:\Windows\SysWOW64\npphxyby.exe

Filesize
202KB

MD5
126877775b0d70642eb654965b377d21

SHA1
0693fc2a021c8be85fc758b594199d06f0cf6f42

SHA256
a1d584a40ee92bc46c7e88a5e337786ba3c1b3d2fa59f0625a09bbda11b77f26

SHA512
851c48e673b413dae19674c9c5d3f6d1778ef9256e901fba22f9c03b7419538a799d3d7264034ca34bad6b8d3645f234cc584658f79878ccae84c0bcdd99ac64

Download Submit
C:\Windows\SysWOW64\npphxyby.exe

Filesize
118KB

MD5
0cdc0c05d139bb9d4f34ae7e03e0a8fc

SHA1
ca385078d08a8ce1862a519dbaed8fe8bd984808

SHA256
020cb487d3226875eeda5fbb8573994159ef7e8b18eab1adb3a6bcc473947fc7

SHA512
d46314c6efc24f4a74821bf1a2119d12a18e007582bc7c33f9855fdbac5069ac3d0cb5f21562525de83d66272cd9fdd6a7a63e706263f2ce422866223b02d031

Download Submit
C:\Windows\SysWOW64\npphxyby.exe

Filesize
80KB

MD5
cc8b2274cf4fef302651e6c01c885708

SHA1
9553b98e807572de22a4a1a9eb4aaad46b975312

SHA256
e4d3f0df91be702e2d2346ee99f712f3f1c5300f6a54702bd0ab3b4c1baf8654

SHA512
75b7a6aa7226bb7d645f11ab58e98d11b2489515099632ff2eacc83341400e89071a2db98e279862f23399954ad8d6aa7508baa21dcba94bf73ef41f700018e6

Download Submit
C:\Windows\SysWOW64\tzzoasuzai.exe

Filesize
130KB

MD5
c739615c79fb93298b346df2cd955ce2

SHA1
3e79e99dac61b97eff8b2e836c6c9f5ac4aa348e

SHA256
4c3f8e044a25f4008399d8ff3dac6e5bc3d9081d1678d229b2d876ee1c67176f

SHA512
d1b9ac420ef7465f958ac815c780a127be296dbdde06d2ba4f3787eac8ee83f1ca9ab3c5854b51025c8986223b5deb207e6e96f3b4e73a4f53dc8f144076da6a

Download Submit
C:\Windows\SysWOW64\tzzoasuzai.exe

Filesize
179KB

MD5
3abeee6c42022865751e4916c25e0f3a

SHA1
6f1eb1ccdd626e97e20d29135e6ae15e6d595cf0

SHA256
3b8d53603b392b180ce72da25f89d4946504f56149f1f0b64b4f72fffc546f3f

SHA512
4e3e6b06cf8dfb5b4581d1274effb67695b4c24b76f53892e54ebdc77ddd846663d693c4bd338b3cd121e81cb0b248bf5a01cd2fb89ec06c2ec3d6438e738dc3

Download Submit
C:\Windows\SysWOW64\vhimrgmvqmrtq.exe

Filesize
141KB

MD5
aaf183ff50cc757ddd943e52b533d832

SHA1
57636010b92f8e01c53fc409a80c9bb405a852c7

SHA256
4819665a3157729926a0bb4dcffbd32cc806f52143c1718fe3d47e69e704831c

SHA512
2c2f7b947d47458b1fc54f5cf2d74db80aaa73f5b55927466e3a3058d2a395c43c033a24b4762124e182767ff7b615d515aa1cb813a061b7172056c83e9c7f77

Download Submit
C:\Windows\SysWOW64\vhimrgmvqmrtq.exe

Filesize
147KB

MD5
889dd5e0da8250ddce107bd28f718698

SHA1
213fd55ed65066a369f7bde4034ccedb66a70cf2

SHA256
4a2d6f4441083dcc44c7a1132c41c90be4e9dd40768d13006bf8a718fcd7b183

SHA512
6692482c674422bedca326e783af20aefe8c7fdd966f549f53a9d3990be9c66bcfeb1cedcb1610c35a52b9df321f91ae3d75714caa52e7d456ac912e3f7230c2

Download Submit
C:\Windows\SysWOW64\vhimrgmvqmrtq.exe

Filesize
136KB

MD5
dcf2c76bfd98d92b96917c6748a8308d

SHA1
46cb97ccfea7f1b3633e161d75f35fb65fa23a1f

SHA256
e5e9e98e1544d622ccf5cfe05400163bd003d96233c7c2ee4c1615abfdae3b95

SHA512
380413448c01bc96741e0dd8c7f088e8229a90d171dba1011d1b58c698e3e3a7e32ce2fb510283f8dfcbbe0f98ef97ea2d46dfa50e5b25374d957195a5bdc931

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\dadqzjxvojwjzvc.exe

Filesize
318KB

MD5
1d0c487f2e724111f5434ee613ec0165

SHA1
b6134e828c0c1acc66c2a5ce040c9b76ca27f594

SHA256
8bc6a20f85d6d43b1e5a32fcfba3eab2503da8fce6e469fc0936c3c5a1accf45

SHA512
c9d2ac89243f38d4c2a4657f7f2e7bc9cb91d482c0629038bd095a0c50c0dfedb361570d1e670a6ce0e86e00dd815e80c2993b6f1535b8dfc764fb45af676b89

Download Submit
\Windows\SysWOW64\npphxyby.exe

Filesize
115KB

MD5
5ff1a61b32eda1b81d75f02d65bcfc3e

SHA1
8d6921bf2227b63f97fb9d4ec56057fabe38aebe

SHA256
5e08dff8d4de736f2fd292d939a34b42546fa05263ed2561969567b45493a785

SHA512
e54223bdc8dd2ca74d6bf0022b4757aac0b2a73d4e1538154683e440b2f38610af2da396b4e32f96b22023f7845497317541b73fff8b8fbeb4855e975d01096c

Download Submit
\Windows\SysWOW64\npphxyby.exe

Filesize
156KB

MD5
5fbb5e4fb55555f374f5507130c35a7f

SHA1
a4c9c9835093cae438422f3b291a55c9d893a8aa

SHA256
5fcbec73c9e263df615e364618deed70a58641ed7d5339d662bdfd369f01358a

SHA512
b25fc7b5e279acab9b58834dc082292592c69ad9f91780eafe5f4cd35c6dae418f9e8a0dda13b7212ebff93a0774514073113f16bc0f34f67e50c585bf70a5fa

Download Submit
\Windows\SysWOW64\tzzoasuzai.exe

Filesize
139KB

MD5
1ea5385f6af7e998adfc0f917c082d72

SHA1
b2628e680c7a04971f4972e88dc32d28aea8db4e

SHA256
a13d9d16cff6ed460a0beef23f264ca9f696810ac7fd6cdbc773c8b26cff4349

SHA512
3183053578b2ac13e71dcdd111dc81ed2135cd6124c015ebfbd646c4f89a7c1802d453e969020ebe0a79be58b48d75c4b7a6dc9075e5bfdcb7a9f5fccd7657be

Download Submit
\Windows\SysWOW64\vhimrgmvqmrtq.exe

Filesize
156KB

MD5
f4acef574d659636e76f13978eace288

SHA1
9f0157b95854cf00a5b960d75c0e4971c34e763c

SHA256
5eb3f7961857f203abc775610d8470181f0c2a3b46a9deec6d4e04d64ff9cd5a

SHA512
663a4423621ba10706db50b7922fe914939cd5fc4bf7d5ef14be4d345bceb08104b0dbb0cac18dc0784b3bbed6522d5759ad651744c06f29eed88fca61658de8

Download Submit
\Windows\SysWOW64\vhimrgmvqmrtq.exe

Filesize
135KB

MD5
5a107a243171b88e53b31f5408272701

SHA1
eec1bd1cff22315acd0ef6ca8cc9e8fd77898d9a

SHA256
97aa7c672f14a26eb727f2da3140269f59d70473e2157d7d90da491b57f51f02

SHA512
1ac6277933b29fc6fa96f2e160ad1a96c4473a9c028bd9b5248eba4e4d7d6a3a6b6781c71b3c3c740dcd6c4517be1842f6befb4956db3a3741ce5d01cbbf99f7

Download Submit
memory/2460-50-0x0000000070F3D000-0x0000000070F48000-memory.dmp

Filesize
44KB

Download
memory/2460-48-0x000000002F041000-0x000000002F042000-memory.dmp

Filesize
4KB

Download
memory/2460-78-0x0000000070F3D000-0x0000000070F48000-memory.dmp

Filesize
44KB

Download
memory/2460-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2544-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download