74be36919da08b2e4607568bf9e0069a668dde44cde84f609cfdeb68d31f7d54

Analysis

max time kernel
132s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08478b0a20b9941292f63fd9082e2245.exe
Size

512KB
MD5

08478b0a20b9941292f63fd9082e2245
SHA1

cea903f85151878dfd2c0a7755e9574ec2a38aac
SHA256

74be36919da08b2e4607568bf9e0069a668dde44cde84f609cfdeb68d31f7d54
SHA512

b20549c5e0ac415688cceb2522cc1a5d70d3cc7197a5ea2d3953ead25d589328b558eb91572596cb92bd1c0b433ea4622fb48a28eaf33309d2e0bd72bd37d8e5
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6g:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5Z

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	sglegohiit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	sglegohiit.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sglegohiit.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	sglegohiit.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
1992	sglegohiit.exe
1808	casqpqpasmfguij.exe
2604	mcztbpko.exe
2668	yoipetfbxqpoc.exe
2500	mcztbpko.exe

Loads dropped DLL 5 IoCs

pid	Process
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
1992	sglegohiit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sglegohiit.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yjsyircv = "sglegohiit.exe"	casqpqpasmfguij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eedmbzdj = "casqpqpasmfguij.exe"	casqpqpasmfguij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yoipetfbxqpoc.exe"	casqpqpasmfguij.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	mcztbpko.exe
File opened (read-only)	\??\x:	sglegohiit.exe
File opened (read-only)	\??\h:	mcztbpko.exe
File opened (read-only)	\??\i:	mcztbpko.exe
File opened (read-only)	\??\t:	mcztbpko.exe
File opened (read-only)	\??\o:	sglegohiit.exe
File opened (read-only)	\??\p:	sglegohiit.exe
File opened (read-only)	\??\r:	sglegohiit.exe
File opened (read-only)	\??\o:	mcztbpko.exe
File opened (read-only)	\??\p:	mcztbpko.exe
File opened (read-only)	\??\w:	mcztbpko.exe
File opened (read-only)	\??\m:	sglegohiit.exe
File opened (read-only)	\??\v:	sglegohiit.exe
File opened (read-only)	\??\h:	mcztbpko.exe
File opened (read-only)	\??\s:	mcztbpko.exe
File opened (read-only)	\??\t:	mcztbpko.exe
File opened (read-only)	\??\m:	mcztbpko.exe
File opened (read-only)	\??\y:	mcztbpko.exe
File opened (read-only)	\??\a:	sglegohiit.exe
File opened (read-only)	\??\g:	sglegohiit.exe
File opened (read-only)	\??\z:	mcztbpko.exe
File opened (read-only)	\??\z:	mcztbpko.exe
File opened (read-only)	\??\w:	sglegohiit.exe
File opened (read-only)	\??\y:	mcztbpko.exe
File opened (read-only)	\??\a:	mcztbpko.exe
File opened (read-only)	\??\l:	mcztbpko.exe
File opened (read-only)	\??\u:	mcztbpko.exe
File opened (read-only)	\??\i:	sglegohiit.exe
File opened (read-only)	\??\k:	mcztbpko.exe
File opened (read-only)	\??\o:	mcztbpko.exe
File opened (read-only)	\??\k:	mcztbpko.exe
File opened (read-only)	\??\q:	sglegohiit.exe
File opened (read-only)	\??\n:	mcztbpko.exe
File opened (read-only)	\??\u:	sglegohiit.exe
File opened (read-only)	\??\e:	mcztbpko.exe
File opened (read-only)	\??\q:	mcztbpko.exe
File opened (read-only)	\??\e:	mcztbpko.exe
File opened (read-only)	\??\a:	mcztbpko.exe
File opened (read-only)	\??\m:	mcztbpko.exe
File opened (read-only)	\??\g:	mcztbpko.exe
File opened (read-only)	\??\n:	sglegohiit.exe
File opened (read-only)	\??\s:	sglegohiit.exe
File opened (read-only)	\??\y:	sglegohiit.exe
File opened (read-only)	\??\l:	mcztbpko.exe
File opened (read-only)	\??\v:	mcztbpko.exe
File opened (read-only)	\??\z:	sglegohiit.exe
File opened (read-only)	\??\j:	mcztbpko.exe
File opened (read-only)	\??\r:	mcztbpko.exe
File opened (read-only)	\??\x:	mcztbpko.exe
File opened (read-only)	\??\j:	mcztbpko.exe
File opened (read-only)	\??\q:	mcztbpko.exe
File opened (read-only)	\??\v:	mcztbpko.exe
File opened (read-only)	\??\h:	sglegohiit.exe
File opened (read-only)	\??\k:	sglegohiit.exe
File opened (read-only)	\??\t:	sglegohiit.exe
File opened (read-only)	\??\g:	mcztbpko.exe
File opened (read-only)	\??\w:	mcztbpko.exe
File opened (read-only)	\??\x:	mcztbpko.exe
File opened (read-only)	\??\j:	sglegohiit.exe
File opened (read-only)	\??\l:	sglegohiit.exe
File opened (read-only)	\??\b:	mcztbpko.exe
File opened (read-only)	\??\i:	mcztbpko.exe
File opened (read-only)	\??\b:	mcztbpko.exe
File opened (read-only)	\??\s:	mcztbpko.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	sglegohiit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	sglegohiit.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2916-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000015c67-28.dat	autoit_exe
behavioral1/files/0x0007000000015d0f-36.dat	autoit_exe
behavioral1/files/0x0009000000015ce6-39.dat	autoit_exe
behavioral1/files/0x0009000000015c46-38.dat	autoit_exe
behavioral1/files/0x0009000000015ce6-31.dat	autoit_exe
behavioral1/files/0x000b000000015c67-41.dat	autoit_exe
behavioral1/files/0x0009000000015ce6-42.dat	autoit_exe
behavioral1/files/0x0009000000015ce6-43.dat	autoit_exe
behavioral1/files/0x0007000000015d0f-40.dat	autoit_exe
behavioral1/files/0x0009000000015ce6-25.dat	autoit_exe
behavioral1/files/0x0007000000015d0f-29.dat	autoit_exe
behavioral1/files/0x000b000000015c67-21.dat	autoit_exe
behavioral1/files/0x0009000000015c46-20.dat	autoit_exe
behavioral1/files/0x0009000000015c46-17.dat	autoit_exe
behavioral1/files/0x000b000000015c67-5.dat	autoit_exe
behavioral1/files/0x0006000000016bdb-72.dat	autoit_exe
behavioral1/files/0x0006000000016a10-67.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sglegohiit.exe	08478b0a20b9941292f63fd9082e2245.exe
File opened for modification	C:\Windows\SysWOW64\casqpqpasmfguij.exe	08478b0a20b9941292f63fd9082e2245.exe
File opened for modification	C:\Windows\SysWOW64\mcztbpko.exe	08478b0a20b9941292f63fd9082e2245.exe
File created	C:\Windows\SysWOW64\yoipetfbxqpoc.exe	08478b0a20b9941292f63fd9082e2245.exe
File opened for modification	C:\Windows\SysWOW64\yoipetfbxqpoc.exe	08478b0a20b9941292f63fd9082e2245.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	sglegohiit.exe
File created	C:\Windows\SysWOW64\sglegohiit.exe	08478b0a20b9941292f63fd9082e2245.exe
File created	C:\Windows\SysWOW64\casqpqpasmfguij.exe	08478b0a20b9941292f63fd9082e2245.exe
File created	C:\Windows\SysWOW64\mcztbpko.exe	08478b0a20b9941292f63fd9082e2245.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mcztbpko.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mcztbpko.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mcztbpko.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	mcztbpko.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mcztbpko.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	mcztbpko.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mcztbpko.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	mcztbpko.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	08478b0a20b9941292f63fd9082e2245.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FF884829826A913DD6587D93BDEFE643584666476331D7EE"	08478b0a20b9941292f63fd9082e2245.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	sglegohiit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	08478b0a20b9941292f63fd9082e2245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	sglegohiit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	sglegohiit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	sglegohiit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0816BC6FF6722D1D279D1D38A7A9017"	08478b0a20b9941292f63fd9082e2245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12944E4389F53CCB9D2329ED7C9"	08478b0a20b9941292f63fd9082e2245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	sglegohiit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2768	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
1992	sglegohiit.exe
1992	sglegohiit.exe
1992	sglegohiit.exe
1992	sglegohiit.exe
1992	sglegohiit.exe
2604	mcztbpko.exe
2604	mcztbpko.exe
2604	mcztbpko.exe
2604	mcztbpko.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
2500	mcztbpko.exe
2500	mcztbpko.exe
2500	mcztbpko.exe
2500	mcztbpko.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe
Token: SeShutdownPrivilege	2464	explorer.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
1992	sglegohiit.exe
1992	sglegohiit.exe
2604	mcztbpko.exe
1992	sglegohiit.exe
2604	mcztbpko.exe
2604	mcztbpko.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
2500	mcztbpko.exe
2500	mcztbpko.exe
2500	mcztbpko.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
2916	08478b0a20b9941292f63fd9082e2245.exe
1992	sglegohiit.exe
1992	sglegohiit.exe
2604	mcztbpko.exe
1992	sglegohiit.exe
2604	mcztbpko.exe
2604	mcztbpko.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
2668	yoipetfbxqpoc.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
1808	casqpqpasmfguij.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe
2464	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2768	WINWORD.EXE
2768	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1992	2916	08478b0a20b9941292f63fd9082e2245.exe	21
PID 2916 wrote to memory of 1992	2916	08478b0a20b9941292f63fd9082e2245.exe	21
PID 2916 wrote to memory of 1992	2916	08478b0a20b9941292f63fd9082e2245.exe	21
PID 2916 wrote to memory of 1992	2916	08478b0a20b9941292f63fd9082e2245.exe	21
PID 2916 wrote to memory of 1808	2916	08478b0a20b9941292f63fd9082e2245.exe	19
PID 2916 wrote to memory of 1808	2916	08478b0a20b9941292f63fd9082e2245.exe	19
PID 2916 wrote to memory of 1808	2916	08478b0a20b9941292f63fd9082e2245.exe	19
PID 2916 wrote to memory of 1808	2916	08478b0a20b9941292f63fd9082e2245.exe	19
PID 2916 wrote to memory of 2604	2916	08478b0a20b9941292f63fd9082e2245.exe	18
PID 2916 wrote to memory of 2604	2916	08478b0a20b9941292f63fd9082e2245.exe	18
PID 2916 wrote to memory of 2604	2916	08478b0a20b9941292f63fd9082e2245.exe	18
PID 2916 wrote to memory of 2604	2916	08478b0a20b9941292f63fd9082e2245.exe	18
PID 2916 wrote to memory of 2668	2916	08478b0a20b9941292f63fd9082e2245.exe	15
PID 2916 wrote to memory of 2668	2916	08478b0a20b9941292f63fd9082e2245.exe	15
PID 2916 wrote to memory of 2668	2916	08478b0a20b9941292f63fd9082e2245.exe	15
PID 2916 wrote to memory of 2668	2916	08478b0a20b9941292f63fd9082e2245.exe	15
PID 1992 wrote to memory of 2500	1992	sglegohiit.exe	17
PID 1992 wrote to memory of 2500	1992	sglegohiit.exe	17
PID 1992 wrote to memory of 2500	1992	sglegohiit.exe	17
PID 1992 wrote to memory of 2500	1992	sglegohiit.exe	17
PID 2916 wrote to memory of 2768	2916	08478b0a20b9941292f63fd9082e2245.exe	16
PID 2916 wrote to memory of 2768	2916	08478b0a20b9941292f63fd9082e2245.exe	16
PID 2916 wrote to memory of 2768	2916	08478b0a20b9941292f63fd9082e2245.exe	16
PID 2916 wrote to memory of 2768	2916	08478b0a20b9941292f63fd9082e2245.exe	16

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\08478b0a20b9941292f63fd9082e2245.exe
"C:\Users\Admin\AppData\Local\Temp\08478b0a20b9941292f63fd9082e2245.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\yoipetfbxqpoc.exe
  yoipetfbxqpoc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2768
- C:\Windows\SysWOW64\mcztbpko.exe
  mcztbpko.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2604
- C:\Windows\SysWOW64\casqpqpasmfguij.exe
  casqpqpasmfguij.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1808
- C:\Windows\SysWOW64\sglegohiit.exe
  sglegohiit.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1992

C:\Windows\SysWOW64\mcztbpko.exe
C:\Windows\system32\mcztbpko.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
42KB

MD5
d8f86102b744e88e813428df7aca55e5

SHA1
7c46364faf2e1431fc34d17efcb4bfbf95884b5c

SHA256
978a6ed15a588e503dab96fbd795d791a72d7e917da6c34feb049a5385d8b0c6

SHA512
601043b2cf16b93a1d4ef6917e024f5fe8d700b7e233302640a522a49cb2900b9cf1f8e64006988dc8d64a2e2f2dd0b80c3a270368d0241ca75d47c7233a9a52

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
32KB

MD5
859c5eff705bea89d74ec17a15e928e6

SHA1
da1d23a5b77893f62be8b485fff3884f082e385f

SHA256
c0c42c1ef55c1f23189ff984c2a8b238c32fe794842c4f22571116209ebf65d8

SHA512
5fefeb2e4acabe10cb3b8734ba064c688baed4d60522200cf6c434577f31249a6175aeec3df5e9ae6f507df2df3c28ba9950f4b4d34d179ec152d144118877d2

Download Submit
C:\Windows\SysWOW64\casqpqpasmfguij.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
C:\Windows\SysWOW64\casqpqpasmfguij.exe

Filesize
28KB

MD5
d64f2730b6ac5f8cf321926cd3bb379d

SHA1
2fcd7695cc07574bc479c73c788b2e32d4a7bd61

SHA256
fc490709e804a944e2bc33d4a611b321aee566b3f3bb640ee6a9519c2e3603f8

SHA512
3a92dc13d171137c93ed6569c0abda5d2ce37ff16a528ab0b03ce3cd3305992308030f85c697919986dafddfe4d54c04f0e0227071b329afb29672767a105ab3

Download Submit
C:\Windows\SysWOW64\casqpqpasmfguij.exe

Filesize
212KB

MD5
23603869d831030298b62fe66b74c043

SHA1
6aa77c5d6cde0068c2d397326e33d09cb5b50bb6

SHA256
4bafac59a5482377b17b335c2ac2ce2a7099b11861579054e2db51c35c718347

SHA512
de75685bd9a9007171f5aca86e5fb5ecfe44f56d47b68fd2bdcc2dddc9ae739ac2e16797fbeef48e3bbf85d2f853244c3b80925024ce9dac9f7a6daca6bc3a48

Download Submit
C:\Windows\SysWOW64\mcztbpko.exe

Filesize
114KB

MD5
3e179c527a4bb839944731643f8fcc0f

SHA1
8ea760188258bc538ec45cafccaa8c572b343e7b

SHA256
8f05425020900d2c7e819f0e73d315366f8893cf14da7bed1a3698b26247ad9e

SHA512
6e429ae40b421709d040b4ff4ddb7b836022932afacaf627e21b24155bb5a94a4a6655770731bb13d032954101e8c1b58acf7fadcfc421ea9f65cf658089fa17

Download Submit
C:\Windows\SysWOW64\mcztbpko.exe

Filesize
12KB

MD5
ad954699c37095e7ec1053a3d810aa92

SHA1
d1b7df9ef6c86dc0fc645599b101e9ff1ddb59f4

SHA256
db52540674c3b7b8c3d92f704ae9bf90a8e6abf5aff96bc3a83af2015ce6dfa6

SHA512
1296d9465ede67e97266d0a741452144efdbae589401f1ec79caa78758e3c1434bf72b46e5659b0073f7b8513af8140b5b12f52f7156a2f5de0a2c07f2aea281

Download Submit
C:\Windows\SysWOW64\mcztbpko.exe

Filesize
62KB

MD5
88462c92ed4d5f4a2e40d3c28e9098ff

SHA1
a05afc2e23be28b9e3ffe26da42bb1cb54ffe339

SHA256
7cd3d32e7737bee0e02aee4a106b6b20cef1b1ecbbdf1d2727c54d04b99dbc44

SHA512
77a093c2eac3a9c77e346d4ad232ac9944c6863bae139c217e4289c66c8a8a5ac3ecf2d1d249a400d70c7f9c85ba80379d8c6accfafe87a8b64a6840079ef1a6

Download Submit
C:\Windows\SysWOW64\sglegohiit.exe

Filesize
169KB

MD5
24c1c8ae5c9f28784afb3a48030cd202

SHA1
45949241049b6ebf66ac5661380a19e12cdb6753

SHA256
1f19c38447ae8ca7cf415ca7a4848270b5bc7020f7649bcbc83b6701457a89f1

SHA512
c948120e9845f726b641dcabdbb4fb1be116d5fe9081f1385e6b99c19f7e51c870f96f747d3b0eedb40e867e5ba34629a381c693e4515ec23610b85f8ec9f261

Download Submit
C:\Windows\SysWOW64\sglegohiit.exe

Filesize
34KB

MD5
6e3028eedae0a609d245f35e32b39b42

SHA1
bf80c2c62f443f3f96f93c2ce291279ac30d03ac

SHA256
4830157a86dc32fac9468d3b870def44e8ee2cdd266da8c50000a63c8099a6ac

SHA512
f33193996fc5cf0aabff02e7141cd3b8fc98a6f7b7470926c4d82415a2ff4f2d5a801916ccc38e219e1fedec4e3b69da6fdc51e6a954c200f8af0758f90e921d

Download Submit
C:\Windows\SysWOW64\yoipetfbxqpoc.exe

Filesize
66KB

MD5
48d59ec0ae97b7c02e65a2245080dade

SHA1
8125070222fca0fa2f31c08b8be894ab0d41cdbe

SHA256
bf5e3efbb2747cd7bd9ab04cef8c42faeb337246bce6e86a8e2a0b9a83c155df

SHA512
3408618be7a9ae1765e1cd00991f192d1088ec81243d18202156b533f462897029bef272b1f24cb7352b24e323139c611c4485671c38c182df59947a3acf8aaa

Download Submit
C:\Windows\SysWOW64\yoipetfbxqpoc.exe

Filesize
39KB

MD5
690770f11739055902009fe85101c84f

SHA1
bd091a498d311b30b10bc9a3518d1a79d0d71cd7

SHA256
aec663ac24582fe0dd60b67431a8b4f2c377ef9ebe5f1edb35112698f784aa5e

SHA512
0237bceb297055e90f7250b412dcdac69b5d655bda95fcf0a3df616e7251659067d8415d86fa867e90288bc124bd7a01efb7c3ab3719868d984940051c203fd6

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\casqpqpasmfguij.exe

Filesize
285KB

MD5
a992990c2a6b2853f1375186e1d0cd79

SHA1
fe0011ab54a788812ea3368f3f14af8b0e39d370

SHA256
0dee5f1b3dc62c38fbc0daa4ad936e2fe20422e56dcd10e8a6ce58910284ce11

SHA512
13e4ce68fc11d47ffb613d225f5f65f115ba4849c1811cd7bcdd216c2b8945e9a6161224f3542183b4a7cfa0e327d01ed8ecdd2c33b176b5602b74f2b35874bb

Download Submit
\Windows\SysWOW64\mcztbpko.exe

Filesize
117KB

MD5
dba55f33dc3be1b494e63160a8dd14c4

SHA1
2801bf367da5f08eca0d2869713891cd6449ea1b

SHA256
c51d4e969e5a8b36c9bf16d833981d6009ae843a39eeab888250b496cdf8998a

SHA512
6ca49f4edf51b6613ef7cce4830aea13ae7f0bed9c4d24d1853529e20aad68be083028ff3e4f390dc1ba0af962c4e4875c8f2cb84f4dc3deb1469f7ec1c28097

Download Submit
\Windows\SysWOW64\mcztbpko.exe

Filesize
45KB

MD5
e8d0a210a7de9cb675e1378280b0b6de

SHA1
c2ab939a2766a03bf6c24459cd935c2d580f220d

SHA256
c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

SHA512
e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

Download Submit
\Windows\SysWOW64\sglegohiit.exe

Filesize
190KB

MD5
75c09c16f23f8599fb84ec6687a9d639

SHA1
97677610695702e7e6d24ad3735b16266fa4a3f2

SHA256
993c934aba8d3fdf20e8d7d9ee04169ae4dee7ac2757b52a6bc8353dc09c642b

SHA512
8791d19de7c7bef6cb2d865fe07389e60f69f57ea2b6512ce75f75e8287e76ade8d9399d3aa25629831135b5a9f95fc029e8ce2d5c8bd8ed2ca5f295f0941d00

Download Submit
\Windows\SysWOW64\yoipetfbxqpoc.exe

Filesize
23KB

MD5
114248867fba6bb53500a5d2d1bb01ca

SHA1
2fe24df32572b993a31f8860d19b09b2fd2d4f60

SHA256
4341b8be2ec99414e601f74e38dc375c571032e2b03bc1573f7fe7f91c15ca21

SHA512
c80e606b61758276be3b659d19d5de7988dcc3caeff13e3759c862815e95d42ecfad1445ab9237f5e8f1070550f1abb127be2299d207b275579d6a5b9174a000

Download Submit
memory/2464-74-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2464-77-0x00000000042E0000-0x00000000042E1000-memory.dmp

Filesize
4KB

Download
memory/2464-82-0x0000000002F70000-0x0000000002F80000-memory.dmp

Filesize
64KB

Download
memory/2768-47-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/2768-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2768-45-0x000000002F581000-0x000000002F582000-memory.dmp

Filesize
4KB

Download
memory/2768-75-0x0000000070F0D000-0x0000000070F18000-memory.dmp

Filesize
44KB

Download
memory/2916-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download