32499086592efa3a49548ee607808a74185ac96c003982cb94cb3c95ae0df74d

Analysis

max time kernel
252s
max time network
294s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

490af43a1ba402f98445a6dfe8668770.exe
Size

512KB
MD5

490af43a1ba402f98445a6dfe8668770
SHA1

997e4dc71109e9f6091eb286b6ba86e27f398893
SHA256

32499086592efa3a49548ee607808a74185ac96c003982cb94cb3c95ae0df74d
SHA512

c6f9515c60bc21e964f4ea15b14e54d2b9500e538d11ec99bc8f08106c21c4656f2d0b6c9484130a937f71910436057d6bbd32176951c16f9433eaad11f19da3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5e

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	byoctyoycu.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	byoctyoycu.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	byoctyoycu.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	byoctyoycu.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2952	byoctyoycu.exe
1972	gfiwslxw.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
1820	gfiwslxw.exe

Loads dropped DLL 5 IoCs

pid	Process
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
2952	byoctyoycu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	byoctyoycu.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jozqubqe = "byoctyoycu.exe"	kzqhxdvlgucgimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ltihesel = "kzqhxdvlgucgimd.exe"	kzqhxdvlgucgimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "agiuaggrxqunz.exe"	kzqhxdvlgucgimd.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	byoctyoycu.exe
File opened (read-only)	\??\g:	gfiwslxw.exe
File opened (read-only)	\??\z:	gfiwslxw.exe
File opened (read-only)	\??\j:	gfiwslxw.exe
File opened (read-only)	\??\l:	gfiwslxw.exe
File opened (read-only)	\??\a:	byoctyoycu.exe
File opened (read-only)	\??\q:	byoctyoycu.exe
File opened (read-only)	\??\p:	gfiwslxw.exe
File opened (read-only)	\??\q:	gfiwslxw.exe
File opened (read-only)	\??\t:	gfiwslxw.exe
File opened (read-only)	\??\i:	gfiwslxw.exe
File opened (read-only)	\??\v:	gfiwslxw.exe
File opened (read-only)	\??\s:	gfiwslxw.exe
File opened (read-only)	\??\a:	gfiwslxw.exe
File opened (read-only)	\??\j:	gfiwslxw.exe
File opened (read-only)	\??\y:	gfiwslxw.exe
File opened (read-only)	\??\b:	byoctyoycu.exe
File opened (read-only)	\??\n:	byoctyoycu.exe
File opened (read-only)	\??\b:	gfiwslxw.exe
File opened (read-only)	\??\n:	gfiwslxw.exe
File opened (read-only)	\??\o:	gfiwslxw.exe
File opened (read-only)	\??\p:	gfiwslxw.exe
File opened (read-only)	\??\n:	gfiwslxw.exe
File opened (read-only)	\??\y:	byoctyoycu.exe
File opened (read-only)	\??\a:	gfiwslxw.exe
File opened (read-only)	\??\x:	gfiwslxw.exe
File opened (read-only)	\??\y:	gfiwslxw.exe
File opened (read-only)	\??\r:	byoctyoycu.exe
File opened (read-only)	\??\z:	byoctyoycu.exe
File opened (read-only)	\??\e:	gfiwslxw.exe
File opened (read-only)	\??\k:	gfiwslxw.exe
File opened (read-only)	\??\l:	gfiwslxw.exe
File opened (read-only)	\??\t:	gfiwslxw.exe
File opened (read-only)	\??\w:	gfiwslxw.exe
File opened (read-only)	\??\r:	gfiwslxw.exe
File opened (read-only)	\??\j:	byoctyoycu.exe
File opened (read-only)	\??\k:	byoctyoycu.exe
File opened (read-only)	\??\w:	byoctyoycu.exe
File opened (read-only)	\??\x:	byoctyoycu.exe
File opened (read-only)	\??\i:	gfiwslxw.exe
File opened (read-only)	\??\e:	gfiwslxw.exe
File opened (read-only)	\??\m:	gfiwslxw.exe
File opened (read-only)	\??\u:	gfiwslxw.exe
File opened (read-only)	\??\e:	byoctyoycu.exe
File opened (read-only)	\??\h:	byoctyoycu.exe
File opened (read-only)	\??\g:	gfiwslxw.exe
File opened (read-only)	\??\g:	byoctyoycu.exe
File opened (read-only)	\??\p:	byoctyoycu.exe
File opened (read-only)	\??\k:	gfiwslxw.exe
File opened (read-only)	\??\o:	byoctyoycu.exe
File opened (read-only)	\??\h:	gfiwslxw.exe
File opened (read-only)	\??\m:	byoctyoycu.exe
File opened (read-only)	\??\w:	gfiwslxw.exe
File opened (read-only)	\??\l:	byoctyoycu.exe
File opened (read-only)	\??\u:	byoctyoycu.exe
File opened (read-only)	\??\x:	gfiwslxw.exe
File opened (read-only)	\??\r:	gfiwslxw.exe
File opened (read-only)	\??\b:	gfiwslxw.exe
File opened (read-only)	\??\m:	gfiwslxw.exe
File opened (read-only)	\??\u:	gfiwslxw.exe
File opened (read-only)	\??\z:	gfiwslxw.exe
File opened (read-only)	\??\h:	gfiwslxw.exe
File opened (read-only)	\??\i:	byoctyoycu.exe
File opened (read-only)	\??\s:	byoctyoycu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	byoctyoycu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	byoctyoycu.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1136-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x001000000000b1f5-5.dat	autoit_exe
behavioral1/files/0x0004000000004ed7-17.dat	autoit_exe
behavioral1/files/0x000c00000001225f-24.dat	autoit_exe
behavioral1/files/0x00310000000142c9-34.dat	autoit_exe
behavioral1/files/0x00310000000142c9-38.dat	autoit_exe
behavioral1/files/0x000c00000001225f-43.dat	autoit_exe
behavioral1/files/0x000c00000001225f-42.dat	autoit_exe
behavioral1/files/0x0006000000015cab-77.dat	autoit_exe
behavioral1/files/0x0006000000015cdd-80.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\byoctyoycu.exe	490af43a1ba402f98445a6dfe8668770.exe
File created	C:\Windows\SysWOW64\kzqhxdvlgucgimd.exe	490af43a1ba402f98445a6dfe8668770.exe
File opened for modification	C:\Windows\SysWOW64\kzqhxdvlgucgimd.exe	490af43a1ba402f98445a6dfe8668770.exe
File opened for modification	C:\Windows\SysWOW64\gfiwslxw.exe	490af43a1ba402f98445a6dfe8668770.exe
File created	C:\Windows\SysWOW64\agiuaggrxqunz.exe	490af43a1ba402f98445a6dfe8668770.exe
File opened for modification	C:\Windows\SysWOW64\agiuaggrxqunz.exe	490af43a1ba402f98445a6dfe8668770.exe
File opened for modification	C:\Windows\SysWOW64\byoctyoycu.exe	490af43a1ba402f98445a6dfe8668770.exe
File created	C:\Windows\SysWOW64\gfiwslxw.exe	490af43a1ba402f98445a6dfe8668770.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	byoctyoycu.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gfiwslxw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gfiwslxw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	gfiwslxw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	gfiwslxw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gfiwslxw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gfiwslxw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	gfiwslxw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	gfiwslxw.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	490af43a1ba402f98445a6dfe8668770.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	byoctyoycu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E89FFFB4829826D9140D7207D92BCEFE643584666426330D69E"	490af43a1ba402f98445a6dfe8668770.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	byoctyoycu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	byoctyoycu.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	490af43a1ba402f98445a6dfe8668770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7806BC1FF6E22D9D10CD0D38B789116"	490af43a1ba402f98445a6dfe8668770.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	byoctyoycu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	byoctyoycu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1664	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
2952	byoctyoycu.exe
2952	byoctyoycu.exe
2952	byoctyoycu.exe
2952	byoctyoycu.exe
2952	byoctyoycu.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
2944	kzqhxdvlgucgimd.exe
2944	kzqhxdvlgucgimd.exe
2944	kzqhxdvlgucgimd.exe
2944	kzqhxdvlgucgimd.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
1820	gfiwslxw.exe
1820	gfiwslxw.exe
1820	gfiwslxw.exe
1820	gfiwslxw.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2944	kzqhxdvlgucgimd.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: 33	772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	772	AUDIODG.EXE
Token: 33	772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	772	AUDIODG.EXE
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe
Token: SeShutdownPrivilege	268	explorer.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
2944	kzqhxdvlgucgimd.exe
2952	byoctyoycu.exe
2952	byoctyoycu.exe
2944	kzqhxdvlgucgimd.exe
2952	byoctyoycu.exe
2944	kzqhxdvlgucgimd.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
1820	gfiwslxw.exe
268	explorer.exe
268	explorer.exe
1820	gfiwslxw.exe
1820	gfiwslxw.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
1136	490af43a1ba402f98445a6dfe8668770.exe
2944	kzqhxdvlgucgimd.exe
2952	byoctyoycu.exe
2952	byoctyoycu.exe
2944	kzqhxdvlgucgimd.exe
2952	byoctyoycu.exe
2944	kzqhxdvlgucgimd.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
1972	gfiwslxw.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
2104	agiuaggrxqunz.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
1820	gfiwslxw.exe
1820	gfiwslxw.exe
1820	gfiwslxw.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe
268	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1664	WINWORD.EXE
1664	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 2952	1136	490af43a1ba402f98445a6dfe8668770.exe	27
PID 1136 wrote to memory of 2952	1136	490af43a1ba402f98445a6dfe8668770.exe	27
PID 1136 wrote to memory of 2952	1136	490af43a1ba402f98445a6dfe8668770.exe	27
PID 1136 wrote to memory of 2952	1136	490af43a1ba402f98445a6dfe8668770.exe	27
PID 1136 wrote to memory of 2944	1136	490af43a1ba402f98445a6dfe8668770.exe	30
PID 1136 wrote to memory of 2944	1136	490af43a1ba402f98445a6dfe8668770.exe	30
PID 1136 wrote to memory of 2944	1136	490af43a1ba402f98445a6dfe8668770.exe	30
PID 1136 wrote to memory of 2944	1136	490af43a1ba402f98445a6dfe8668770.exe	30
PID 1136 wrote to memory of 1972	1136	490af43a1ba402f98445a6dfe8668770.exe	28
PID 1136 wrote to memory of 1972	1136	490af43a1ba402f98445a6dfe8668770.exe	28
PID 1136 wrote to memory of 1972	1136	490af43a1ba402f98445a6dfe8668770.exe	28
PID 1136 wrote to memory of 1972	1136	490af43a1ba402f98445a6dfe8668770.exe	28
PID 1136 wrote to memory of 2104	1136	490af43a1ba402f98445a6dfe8668770.exe	29
PID 1136 wrote to memory of 2104	1136	490af43a1ba402f98445a6dfe8668770.exe	29
PID 1136 wrote to memory of 2104	1136	490af43a1ba402f98445a6dfe8668770.exe	29
PID 1136 wrote to memory of 2104	1136	490af43a1ba402f98445a6dfe8668770.exe	29
PID 2952 wrote to memory of 1820	2952	byoctyoycu.exe	34
PID 2952 wrote to memory of 1820	2952	byoctyoycu.exe	34
PID 2952 wrote to memory of 1820	2952	byoctyoycu.exe	34
PID 2952 wrote to memory of 1820	2952	byoctyoycu.exe	34
PID 1136 wrote to memory of 1664	1136	490af43a1ba402f98445a6dfe8668770.exe	35
PID 1136 wrote to memory of 1664	1136	490af43a1ba402f98445a6dfe8668770.exe	35
PID 1136 wrote to memory of 1664	1136	490af43a1ba402f98445a6dfe8668770.exe	35
PID 1136 wrote to memory of 1664	1136	490af43a1ba402f98445a6dfe8668770.exe	35
PID 1664 wrote to memory of 2828	1664	WINWORD.EXE	39
PID 1664 wrote to memory of 2828	1664	WINWORD.EXE	39
PID 1664 wrote to memory of 2828	1664	WINWORD.EXE	39
PID 1664 wrote to memory of 2828	1664	WINWORD.EXE	39

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\490af43a1ba402f98445a6dfe8668770.exe
"C:\Users\Admin\AppData\Local\Temp\490af43a1ba402f98445a6dfe8668770.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\SysWOW64\byoctyoycu.exe
  byoctyoycu.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\gfiwslxw.exe
    C:\Windows\system32\gfiwslxw.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1820
- C:\Windows\SysWOW64\gfiwslxw.exe
  gfiwslxw.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1972
- C:\Windows\SysWOW64\agiuaggrxqunz.exe
  agiuaggrxqunz.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2104
- C:\Windows\SysWOW64\kzqhxdvlgucgimd.exe
  kzqhxdvlgucgimd.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2944
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2828

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
569e3fd1acc8e14ef8b502e023c16f57

SHA1
dc3891dc1f559e43a24fa864ebf944bf938d9ad0

SHA256
b1cee7dfdeb1549ebf2562c7f2613e8381af4ced154ec2127f93cea78ca26654

SHA512
f26adac76eedf3fbfbb5d17a1d93d0080cd515ec36d99ee29a3706e7fb619fd74c04673c0e0c67cc506debcdf10caff1344e828d7bced0941ca90066fc304564

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
1d8ff152a949ed37d2121d5fdf4e85ea

SHA1
46b7cedc78a23bde84ff6708d29b6017f8bb9d1e

SHA256
ed9a4ebf15090498186b728eadff843146998f3f762b715557ae0dfcca3cd6bc

SHA512
3af96f57be1f8f2bbc35b10d3bf660b3684506c64669617ed737c8e4dda03f7bf0ca2ff9ed7427459d00ece2f99e6e12822cbcd2d03073283a43288c03890eb8

Download Submit
C:\Windows\SysWOW64\agiuaggrxqunz.exe

Filesize
480KB

MD5
324b67f861792beb7fba41525036bbfb

SHA1
dd89e0573763b63202e1dcada90deb8a34707845

SHA256
005a87a76f01cc94ad0027ce202a9c9cf8a630c76f5a0da40c90831eed76703e

SHA512
6ff29c64bba34c873bc736be817728aad863da4eb8745f3a1596acc808a8f6a272714d7bb3c2d564a02c2a62eaf65701148006796918afd271a74c98c347c938

Download Submit
C:\Windows\SysWOW64\gfiwslxw.exe

Filesize
121KB

MD5
bbb86692347f4b0d690d113f816c2c7c

SHA1
be285d7976bd164061993a9e13f1e6db44976682

SHA256
e517413796dbbc14f6a8126f810a124f39092a12bea8e704ccd9c89ee456af41

SHA512
3ca7a8f1d87d8bbececbf6d187b5af07ff48b2edaefd89615a07f75b74b8472efe8fc8fbe8c3762c31e270cb083502c11bb35b939ec10305bc45c6b19f3c410e

Download Submit
C:\Windows\SysWOW64\kzqhxdvlgucgimd.exe

Filesize
512KB

MD5
82bc327de2e0113a343fbb449080e604

SHA1
63b0f261245c9549b7f0be9f091dbf1888dc201a

SHA256
6fc993131746981af632da2bc9361612f0f2f0d9df463bb02c36c338cd83c9ef

SHA512
aa98b1157cdbc797f8e7bca1c7d5dbe40c5dc56ee3d9ca35f5c3ccf9a784da81c6aa3d842b55eaa848406bc8104fe6f9f5f2a082fb9c63ab8bbd9efa66ccc57f

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\agiuaggrxqunz.exe

Filesize
512KB

MD5
030644e91b033125060f76d5ca27b916

SHA1
36e190c99dc44d596f23c73639ab7de27b573a57

SHA256
76554de08bfcc12c481a628bc95b9d12827450fe273e31db45c12c566a68c87d

SHA512
ab9595e04dd4bbd16150c28bd6d1f0099dfacf52d0128af1dbbcee81d5e1200bd09af73dace0ba28e374bb97e07efa0936f47c072e451a35a671d9c54c64fb5d

Download Submit
\Windows\SysWOW64\byoctyoycu.exe

Filesize
512KB

MD5
6fc2b9daeea88717e4ae148c95d1c5a0

SHA1
9a4633e68851ce833847c13fa312e3c272460e03

SHA256
e675bf0496895953c1972df72da935a9284e8940bd4e8098b723768ea38135d6

SHA512
a23f0840ba20f72894b05e597fefbad7ac17abd51f34cf1ad59bcf0ef6184668b4f835c3b3ce50f03e1dcfc427d1e34b49a5f90b338989f8a4cfa1f888b0618a

Download Submit
\Windows\SysWOW64\gfiwslxw.exe

Filesize
512KB

MD5
a7e0501329cc7c403ff2417a38c45555

SHA1
4c0a23c52b24a38a5f3817994fdb0f68eabb2df5

SHA256
d36cfc8b6a11ec26f89a03cd759ffd690fb308143705f261de8f5bb1858db3d5

SHA512
f80c90669d87959aa285a63881bb44eb78cfa3679fc15369aa39e814a76f877ecc44fd04785c88bdcdc1fe8dd7b981a054b3dccbae6df403af4c2949551f340e

Download Submit
\Windows\SysWOW64\gfiwslxw.exe

Filesize
195KB

MD5
69dd406e48276f847859e1d7af6fa2a0

SHA1
66a36996c04df245d3299c2423891bd09d7a4b27

SHA256
e4432ececea5bbb1b38b582baad37509dc72441ec29860600a4b98b019ecfa7c

SHA512
e52fe057dadc13a59ec5890918bb94b2064fd54eb9afc9a354c3bdf8054059298fe86eca650496bd73fb42dddeee58e4637ae83825321208e2602c7d5e48eb57

Download Submit
memory/268-65-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/268-69-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/1136-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1664-47-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/1664-66-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/1664-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1664-45-0x000000002F171000-0x000000002F172000-memory.dmp

Filesize
4KB

Download