016e41014f190f7c79e3a091b3e002eedfea88738fde6b9e40b97390b0f09806

Analysis

max time kernel
19s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d5631d7e417272e1c6bbfc3550cf1c.exe
Size

512KB
MD5

00d5631d7e417272e1c6bbfc3550cf1c
SHA1

4d96e053010e3b19a7fffe5a00064bd562248dc4
SHA256

016e41014f190f7c79e3a091b3e002eedfea88738fde6b9e40b97390b0f09806
SHA512

70ae6474a2f372aa695a7104f9e7a8ab794a742f67b3a13dd5cf04d71b39f4bc6dd2bed92c8e42ee2a73f26ddb2c971b840dd6e8aad2dade59575f76f815dec2
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6T:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	iolvnnahxm.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	iolvnnahxm.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	iolvnnahxm.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	iolvnnahxm.exe

Executes dropped EXE 6 IoCs

pid	Process
2544	iolvnnahxm.exe
1468	hbytahxkntydyjk.exe
2588	gpjljaiv.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2624	gpjljaiv.exe

Loads dropped DLL 6 IoCs

pid	Process
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
2664	cmd.exe
2544	iolvnnahxm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	iolvnnahxm.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rijuynis = "iolvnnahxm.exe"	hbytahxkntydyjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nebfgtsi = "hbytahxkntydyjk.exe"	hbytahxkntydyjk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kkgrjkygtfyqy.exe"	hbytahxkntydyjk.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	iolvnnahxm.exe
File opened (read-only)	\??\p:	iolvnnahxm.exe
File opened (read-only)	\??\m:	gpjljaiv.exe
File opened (read-only)	\??\o:	gpjljaiv.exe
File opened (read-only)	\??\y:	gpjljaiv.exe
File opened (read-only)	\??\s:	iolvnnahxm.exe
File opened (read-only)	\??\x:	iolvnnahxm.exe
File opened (read-only)	\??\y:	iolvnnahxm.exe
File opened (read-only)	\??\l:	gpjljaiv.exe
File opened (read-only)	\??\m:	gpjljaiv.exe
File opened (read-only)	\??\g:	gpjljaiv.exe
File opened (read-only)	\??\q:	gpjljaiv.exe
File opened (read-only)	\??\v:	gpjljaiv.exe
File opened (read-only)	\??\s:	gpjljaiv.exe
File opened (read-only)	\??\x:	gpjljaiv.exe
File opened (read-only)	\??\a:	iolvnnahxm.exe
File opened (read-only)	\??\m:	iolvnnahxm.exe
File opened (read-only)	\??\q:	iolvnnahxm.exe
File opened (read-only)	\??\a:	gpjljaiv.exe
File opened (read-only)	\??\n:	gpjljaiv.exe
File opened (read-only)	\??\t:	gpjljaiv.exe
File opened (read-only)	\??\i:	gpjljaiv.exe
File opened (read-only)	\??\p:	gpjljaiv.exe
File opened (read-only)	\??\q:	gpjljaiv.exe
File opened (read-only)	\??\k:	gpjljaiv.exe
File opened (read-only)	\??\i:	iolvnnahxm.exe
File opened (read-only)	\??\i:	gpjljaiv.exe
File opened (read-only)	\??\y:	gpjljaiv.exe
File opened (read-only)	\??\b:	iolvnnahxm.exe
File opened (read-only)	\??\j:	iolvnnahxm.exe
File opened (read-only)	\??\n:	iolvnnahxm.exe
File opened (read-only)	\??\r:	gpjljaiv.exe
File opened (read-only)	\??\x:	gpjljaiv.exe
File opened (read-only)	\??\z:	gpjljaiv.exe
File opened (read-only)	\??\a:	gpjljaiv.exe
File opened (read-only)	\??\r:	gpjljaiv.exe
File opened (read-only)	\??\w:	gpjljaiv.exe
File opened (read-only)	\??\o:	iolvnnahxm.exe
File opened (read-only)	\??\t:	iolvnnahxm.exe
File opened (read-only)	\??\j:	gpjljaiv.exe
File opened (read-only)	\??\g:	gpjljaiv.exe
File opened (read-only)	\??\u:	gpjljaiv.exe
File opened (read-only)	\??\v:	gpjljaiv.exe
File opened (read-only)	\??\h:	gpjljaiv.exe
File opened (read-only)	\??\p:	gpjljaiv.exe
File opened (read-only)	\??\e:	iolvnnahxm.exe
File opened (read-only)	\??\g:	iolvnnahxm.exe
File opened (read-only)	\??\z:	iolvnnahxm.exe
File opened (read-only)	\??\b:	gpjljaiv.exe
File opened (read-only)	\??\j:	gpjljaiv.exe
File opened (read-only)	\??\u:	gpjljaiv.exe
File opened (read-only)	\??\w:	gpjljaiv.exe
File opened (read-only)	\??\b:	gpjljaiv.exe
File opened (read-only)	\??\e:	gpjljaiv.exe
File opened (read-only)	\??\n:	gpjljaiv.exe
File opened (read-only)	\??\k:	iolvnnahxm.exe
File opened (read-only)	\??\z:	gpjljaiv.exe
File opened (read-only)	\??\t:	gpjljaiv.exe
File opened (read-only)	\??\r:	iolvnnahxm.exe
File opened (read-only)	\??\u:	iolvnnahxm.exe
File opened (read-only)	\??\w:	iolvnnahxm.exe
File opened (read-only)	\??\e:	gpjljaiv.exe
File opened (read-only)	\??\k:	gpjljaiv.exe
File opened (read-only)	\??\s:	gpjljaiv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	iolvnnahxm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	iolvnnahxm.exe

AutoIT Executable 22 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1712-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000014120-17.dat	autoit_exe
behavioral1/files/0x00090000000141e6-21.dat	autoit_exe
behavioral1/files/0x0009000000014120-20.dat	autoit_exe
behavioral1/files/0x00090000000141e6-24.dat	autoit_exe
behavioral1/files/0x000900000001447e-32.dat	autoit_exe
behavioral1/files/0x000900000001447e-36.dat	autoit_exe
behavioral1/files/0x000900000001447e-44.dat	autoit_exe
behavioral1/files/0x000900000001447e-45.dat	autoit_exe
behavioral1/files/0x0007000000014667-42.dat	autoit_exe
behavioral1/files/0x0007000000014667-40.dat	autoit_exe
behavioral1/files/0x0007000000014667-38.dat	autoit_exe
behavioral1/files/0x0007000000014667-37.dat	autoit_exe
behavioral1/files/0x0007000000014667-34.dat	autoit_exe
behavioral1/files/0x000900000001447e-29.dat	autoit_exe
behavioral1/files/0x00090000000141e6-28.dat	autoit_exe
behavioral1/files/0x0009000000014120-27.dat	autoit_exe
behavioral1/files/0x0006000000015605-71.dat	autoit_exe
behavioral1/files/0x00090000000141e6-5.dat	autoit_exe
behavioral1/files/0x0006000000015c3d-80.dat	autoit_exe
behavioral1/files/0x0006000000015b6f-74.dat	autoit_exe
behavioral1/files/0x0006000000015c52-83.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gpjljaiv.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File created	C:\Windows\SysWOW64\kkgrjkygtfyqy.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File opened for modification	C:\Windows\SysWOW64\kkgrjkygtfyqy.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	iolvnnahxm.exe
File created	C:\Windows\SysWOW64\hbytahxkntydyjk.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File opened for modification	C:\Windows\SysWOW64\hbytahxkntydyjk.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File created	C:\Windows\SysWOW64\gpjljaiv.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File created	C:\Windows\SysWOW64\iolvnnahxm.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe
File opened for modification	C:\Windows\SysWOW64\iolvnnahxm.exe	00d5631d7e417272e1c6bbfc3550cf1c.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gpjljaiv.exe
File created	\??\c:\Program Files\SuspendCompare.doc.exe	gpjljaiv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gpjljaiv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gpjljaiv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gpjljaiv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	gpjljaiv.exe
File opened for modification	C:\Program Files\SuspendCompare.nal	gpjljaiv.exe
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	gpjljaiv.exe
File opened for modification	C:\Program Files\SuspendCompare.nal	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gpjljaiv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	gpjljaiv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gpjljaiv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gpjljaiv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gpjljaiv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	00d5631d7e417272e1c6bbfc3550cf1c.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	iolvnnahxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	iolvnnahxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	iolvnnahxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	iolvnnahxm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	iolvnnahxm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	00d5631d7e417272e1c6bbfc3550cf1c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2460	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
1468	hbytahxkntydyjk.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe
1468	hbytahxkntydyjk.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
1468	hbytahxkntydyjk.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
1468	hbytahxkntydyjk.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
1468	hbytahxkntydyjk.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
1468	hbytahxkntydyjk.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
1712	00d5631d7e417272e1c6bbfc3550cf1c.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
2544	iolvnnahxm.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
1468	hbytahxkntydyjk.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2588	gpjljaiv.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2576	kkgrjkygtfyqy.exe
2820	kkgrjkygtfyqy.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe
2624	gpjljaiv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2460	WINWORD.EXE
2460	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2544	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	26
PID 1712 wrote to memory of 2544	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	26
PID 1712 wrote to memory of 2544	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	26
PID 1712 wrote to memory of 2544	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	26
PID 1712 wrote to memory of 1468	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	16
PID 1712 wrote to memory of 1468	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	16
PID 1712 wrote to memory of 1468	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	16
PID 1712 wrote to memory of 1468	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	16
PID 1712 wrote to memory of 2588	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	25
PID 1712 wrote to memory of 2588	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	25
PID 1712 wrote to memory of 2588	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	25
PID 1712 wrote to memory of 2588	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	25
PID 1468 wrote to memory of 2664	1468	hbytahxkntydyjk.exe	23
PID 1468 wrote to memory of 2664	1468	hbytahxkntydyjk.exe	23
PID 1468 wrote to memory of 2664	1468	hbytahxkntydyjk.exe	23
PID 1468 wrote to memory of 2664	1468	hbytahxkntydyjk.exe	23
PID 2664 wrote to memory of 2576	2664	cmd.exe	19
PID 2664 wrote to memory of 2576	2664	cmd.exe	19
PID 2664 wrote to memory of 2576	2664	cmd.exe	19
PID 2664 wrote to memory of 2576	2664	cmd.exe	19
PID 1712 wrote to memory of 2820	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	20
PID 1712 wrote to memory of 2820	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	20
PID 1712 wrote to memory of 2820	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	20
PID 1712 wrote to memory of 2820	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	20
PID 2544 wrote to memory of 2624	2544	iolvnnahxm.exe	17
PID 2544 wrote to memory of 2624	2544	iolvnnahxm.exe	17
PID 2544 wrote to memory of 2624	2544	iolvnnahxm.exe	17
PID 2544 wrote to memory of 2624	2544	iolvnnahxm.exe	17
PID 1712 wrote to memory of 2460	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	18
PID 1712 wrote to memory of 2460	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	18
PID 1712 wrote to memory of 2460	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	18
PID 1712 wrote to memory of 2460	1712	00d5631d7e417272e1c6bbfc3550cf1c.exe	18
PID 2460 wrote to memory of 1564	2460	WINWORD.EXE	39
PID 2460 wrote to memory of 1564	2460	WINWORD.EXE	39
PID 2460 wrote to memory of 1564	2460	WINWORD.EXE	39
PID 2460 wrote to memory of 1564	2460	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\00d5631d7e417272e1c6bbfc3550cf1c.exe
"C:\Users\Admin\AppData\Local\Temp\00d5631d7e417272e1c6bbfc3550cf1c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\hbytahxkntydyjk.exe
  hbytahxkntydyjk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c kkgrjkygtfyqy.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2664
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1564
- C:\Windows\SysWOW64\kkgrjkygtfyqy.exe
  kkgrjkygtfyqy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2820
- C:\Windows\SysWOW64\gpjljaiv.exe
  gpjljaiv.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2588
- C:\Windows\SysWOW64\iolvnnahxm.exe
  iolvnnahxm.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2544

C:\Windows\SysWOW64\gpjljaiv.exe
C:\Windows\system32\gpjljaiv.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2624

C:\Windows\SysWOW64\kkgrjkygtfyqy.exe
kkgrjkygtfyqy.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
5KB

MD5
9c887fab841711cd26cb6fc83bf9c6d1

SHA1
79c2af2b37a184a42d56f73f0e631344fac1472a

SHA256
37873d739ea769dbfdfa67b05f81aba96d65e3964e5218af3ecff9483722e5cb

SHA512
c4241d5db3cb481ef85dfb2abd2d9d653253f536c64fdb1e8ffda94d671b52d6e68e4fde7f1996a406ba9aa1a652f734f138f6249bac725b87976737fa83b206

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
5KB

MD5
bbe965f6f89550f0aafc64377d935cd0

SHA1
f89eff98b568e8c3b11e461fb8e6520771e223df

SHA256
54142eafd4a159128a47fb7863251fd10a58c821e985bc0e86011c2e94aec3a5

SHA512
51ea6036d1b0367720108d3523e920b2afcb8c4cd7999f3ae46d2258e9ed15db7a97a3573f9200f7ce8633e5a2f66ec24874714ea761347946ef6b14a175840f

Download Submit
C:\Program Files\SuspendCompare.doc.exe

Filesize
57KB

MD5
16a64f9d925b85fcbb4a0a744e1fe01a

SHA1
63c70d580f7efa2cfd4e7b5bebe2d4db3702e356

SHA256
71af2ccdba9374f58065cd790cce89b73544ef30c819877e1f86a75cc212072e

SHA512
af82d6ddd43191c6af2afee7e9382452f0568ecff187e634c1305c3dbf18cbc3ab136882e779eab81b84c1d4550542c5b5a55f8cd3f501c63c8559652be151aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
33095365d81e8a2dd95ccb089d9b6b5d

SHA1
04a5014b6f9d3093633427104bbc9d6504b6422f

SHA256
05f9192c405c76245061eb08e0756a8769096c4cb41394abf5372d274fce5572

SHA512
6796c057b33f0d61a724d30e3591c63b58810cb842d8ee267fe89b6e71ac51a81b8a98dfd0e86d29ac87e14c071b7b2c3c7f8a92473f24e01e8ca45fb604c8bb

Download Submit
C:\Users\Admin\Documents\UpdateRestart.doc.exe

Filesize
115KB

MD5
e5ab0fe33541b59afd6100e0405c8659

SHA1
4d658c90a9d616ecd65528823358545d6d10f087

SHA256
4e756dfb1d02a2c7177b8b1477c8d83197073438aefb0e42881203aa6dff855d

SHA512
018f47a2a67bc3c82c5e1a63576d25272e25d8efd0da6c7c6bf0fd42f8944c6409202f7cca61a7e4c642b0bf6814c0cc7938e48f247ca44fbbc21a976dd3b0c0

Download Submit
C:\Windows\SysWOW64\gpjljaiv.exe

Filesize
186KB

MD5
cb93d9f8a0b4837e8bf9c57cbf68ddb8

SHA1
c08404548e5e506522bdfc102e3ce256bd70e981

SHA256
0ddec26cda5ea3aa196c4d0c8fab7e94ecffa83236568ce1ba3b2eb1d6ad4977

SHA512
1893e7a9545c26327d34379529b1e2d40f54fa2b931e68b24cd35bde7d8fb3b1756d2a4e759a94ea1ec1a46d71046d0782acfdd3417dfcc8c760228895f383c1

Download Submit
C:\Windows\SysWOW64\gpjljaiv.exe

Filesize
72KB

MD5
48f1849746aa1d528b21b7fff5917e21

SHA1
07ec601cd9065ac5b0605ac4448a645524b559a5

SHA256
0a025b1c0d501cf7fbe853ac3a9458eb757d8195e867f94cdfbbfa091ab9a051

SHA512
ea15b1d6adf49844feaea9546e7b7dd7d2e658d2e6c04890fba5d8147359fbdfd23b322968766a651c9fca91fbc43345c34d6620dea85ac9d096cc59ef18cf66

Download Submit
C:\Windows\SysWOW64\gpjljaiv.exe

Filesize
158KB

MD5
5e5497b81b75971db54bf8891e16134e

SHA1
6ea2b6964fa97019ecde98df7b75b12dc6c970df

SHA256
08f66c1f0e51977a76429673f79d74d02737fbb5045229fde36d75964b49aa74

SHA512
faea032a51d36e528082e326fbe8a8b9c56d9d7fc5a7a04bb50851efc7212f7ed7c8eeef0d750e8c61750c32013f50bd079ef7011aec4a35840e87d6a0b564ed

Download Submit
C:\Windows\SysWOW64\hbytahxkntydyjk.exe

Filesize
164KB

MD5
14afb079d2bd97f1a3fa57c83eae5aec

SHA1
97f675e99de66a2a871da867a9e99e05e7876645

SHA256
4541a65f458ef263db5efe532166e9c148df3572fdab6557f1e602c5f04e05ba

SHA512
70cf8e5f648807dbc6cb98a536809d926a53bbc9388e97e5b0bd0e12981db2fd976a09cbf49800703ea306bceef4d82d827afc5eab9170161638d833a59891b8

Download Submit
C:\Windows\SysWOW64\hbytahxkntydyjk.exe

Filesize
201KB

MD5
6cc078470d8531041d847d8a0aacd9ce

SHA1
106f99f8ff456dcc2715cdc974e0ca65a8686743

SHA256
57ecdc83e99d1bb652ad86b61299d898aa9b1607d3b7a135ece3300c22a04064

SHA512
2c936e6255349246b893d696c7f9258f716a0700ed95bcbab9f8905efb550dd9df8f67cee8334941a27431beec556d3e646ecd0cf4ebbb1a63eb27e39e68c6b8

Download Submit
C:\Windows\SysWOW64\hbytahxkntydyjk.exe

Filesize
214KB

MD5
bc500c03f93af0add34b1359da717245

SHA1
71ee5d1ec4b34b0ced7575c30c1a0b6c4a938309

SHA256
5d79f3ef7bb5762111158a2610c9df0fa321a8db5444c8e657f77f53f123610f

SHA512
678be37efe87903088b34eeb92b50376c2db852d5fcf83f061c6ed371e6d28522dee3d5f86da5681f97676c26bd4dfae43d0a3577d8e1793584be80af199f5bd

Download Submit
C:\Windows\SysWOW64\iolvnnahxm.exe

Filesize
136KB

MD5
dcf2c76bfd98d92b96917c6748a8308d

SHA1
46cb97ccfea7f1b3633e161d75f35fb65fa23a1f

SHA256
e5e9e98e1544d622ccf5cfe05400163bd003d96233c7c2ee4c1615abfdae3b95

SHA512
380413448c01bc96741e0dd8c7f088e8229a90d171dba1011d1b58c698e3e3a7e32ce2fb510283f8dfcbbe0f98ef97ea2d46dfa50e5b25374d957195a5bdc931

Download Submit
C:\Windows\SysWOW64\iolvnnahxm.exe

Filesize
206KB

MD5
1f1dce6d8600c7673a2154fc225a8410

SHA1
9a7bb44c08d97c420759f1243c048075a9932b1b

SHA256
d5fb61d628d76b436fa180c13b98dafbea0510cb7788fe08d6d1e0bcdc1ab865

SHA512
7117b3d51cdbba0fdd44f3c21c93e76991a56350460f2803c0b986802b4198202f7c79afac5d551432dc826b2e8814ede8c6f36c8fa027dcd124b9323486a116

Download Submit
C:\Windows\SysWOW64\kkgrjkygtfyqy.exe

Filesize
86KB

MD5
2a4dbf7d9ed035c6b7d5a4cbb73f2d18

SHA1
194fb9ce6aaa6304a68f8a142e1a951ce5dff6ae

SHA256
f21d9c44a2ec599ebdfa9988a8d8bba5be74576d98053c475ceb83bc37d27bd1

SHA512
400f0ae7f4761f37e835d0d8ad9881ddf7a391fd6bdb599e55b54e3023acd016f5e096a6c1e617c5cd28449e767f5f497e958c2e46cd7fd1746bf7f5aab0580e

Download Submit
C:\Windows\SysWOW64\kkgrjkygtfyqy.exe

Filesize
211KB

MD5
b2f53e288441d6406e0d758cd53a97e3

SHA1
dc65b93cc7bb0c43e9bff5a160339cf659039f06

SHA256
9aa1d0bb5b39d015de7b17aa389e344a4806e384dfe1f549486de59e3d57d551

SHA512
64dcfaba4cc6f4dc11bf3741d74b0bc988cd6dfe643ea715d246441934b068c66f291291f80368e5e3896ca9ef11da5f42d3f6ea3d2d15a797d377ff9cd236d8

Download Submit
C:\Windows\SysWOW64\kkgrjkygtfyqy.exe

Filesize
157KB

MD5
feadc940d53af9ed717b9fd9b4b232b8

SHA1
788400cb60e41e1f35b8989bb2080a90a6592714

SHA256
9087e71438e4cc6ffb350ac783b3c8d12b3d488872ba70798b0fc8f4b2b2d7a3

SHA512
b6f4feea4be9c8d850e103b1d422b7f95c4da854c29bd535a0eae623c4ff058c20c6691e68167143b33f9eec3be855c42dcbfe32b5da6f4bc7221bcfe60a29f1

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gpjljaiv.exe

Filesize
169KB

MD5
b97828ab1643ec3234a7baaf90557e30

SHA1
e1570ea3bf9cd55528e5005be1be4275e152bebc

SHA256
6f5c588c256cc53a493b7ddcc4d1e9f4c506d7ab08d326b5f409f2a3c2ab0b4d

SHA512
47c93a067a59478f3d0464091f7945bc049249f0ae97df82ecc5aa1468b540529ee212bc53cc89270bc5ddc019e3fadb3887e3e1318e6f4db1efd95fcb7874a8

Download Submit
\Windows\SysWOW64\gpjljaiv.exe

Filesize
101KB

MD5
b1c845454a71ebe2f64b19175a81c43e

SHA1
7bb5df5a96945832d91c5309674b975aff905b97

SHA256
3c88cdf0669d19fa44e642d9c06ea86e7d1d1c8ae962dc1cacb8b874ec9130b4

SHA512
bbfb9283129f1b2da10e8242347acd26d014549b27015be4bc05511c3d73df61c8179ea3e302e4c94830cc72bb04d2fb8996da2ac0413ef29bd0632f62df9f5d

Download Submit
\Windows\SysWOW64\hbytahxkntydyjk.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
\Windows\SysWOW64\kkgrjkygtfyqy.exe

Filesize
96KB

MD5
555c35fc38540f1cf58e9f187174d0b6

SHA1
7b1a699d8589b677d62fe4f519117ce462af991f

SHA256
c8445d3eebba14b6619b88f81b78a43a4d8d0f044ebf67d4145dd32336a24c37

SHA512
a08bce8e839540fca97260069078fe520956b0a47dfc201262d7da201bc7d8aad39986eb34fe1f9b0f4a9b3ded81ee6681f7068fffcfae689fad73c867394b83

Download Submit
\Windows\SysWOW64\kkgrjkygtfyqy.exe

Filesize
93KB

MD5
935467de61ac77bd8a8d34fe750ece6e

SHA1
7db0f0f811e1697efe6b496eff7ad4cc0222f8d2

SHA256
1d7ee583bd730a9846fa6a928fefbe3cde2e2b5d0aef322fc0529a470dcb1c2f

SHA512
ee893fa35db78dfe948fd3dc96f7392b0b8d6bf2399cd9507ce614cfa986890240a3d2e57e08228626f3e06deed179c74a262be0d6cbef87de9e053e128ff883

Download Submit
memory/1712-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2460-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-49-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download
memory/2460-47-0x000000002F4D1000-0x000000002F4D2000-memory.dmp

Filesize
4KB

Download
memory/2460-86-0x0000000070E7D000-0x0000000070E88000-memory.dmp

Filesize
44KB

Download
memory/2460-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download