f74e1f8bb9b8fd81cb1174c39233ca2f6c2726bd0c015e3fc3e87313a4a721bf

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

469c9f35d47dcbbdf7135c893430fa33.exe
Size

512KB
MD5

469c9f35d47dcbbdf7135c893430fa33
SHA1

04b660df1b63c0da69de9b0ff1d3cca546cd548a
SHA256

f74e1f8bb9b8fd81cb1174c39233ca2f6c2726bd0c015e3fc3e87313a4a721bf
SHA512

96bbf0129bb4af6161b765f02e8d639bb6dcbc83a6996cac274174b003f504c618ae5c30bf04d5925eda1d9a015475fadeb6e1d1929e767b8612aacf5ea7aadb
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6P:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	veokwoutrz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	veokwoutrz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	veokwoutrz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	veokwoutrz.exe

Executes dropped EXE 5 IoCs

pid	Process
2940	veokwoutrz.exe
2148	hegkknojjaobagy.exe
2700	csaefuyf.exe
2760	zhjmgojxregxm.exe
2564	csaefuyf.exe

Loads dropped DLL 5 IoCs

pid	Process
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2940	veokwoutrz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	veokwoutrz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dveelxbp = "hegkknojjaobagy.exe"	hegkknojjaobagy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zhjmgojxregxm.exe"	hegkknojjaobagy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sheugfzp = "veokwoutrz.exe"	hegkknojjaobagy.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	veokwoutrz.exe
File opened (read-only)	\??\n:	csaefuyf.exe
File opened (read-only)	\??\p:	csaefuyf.exe
File opened (read-only)	\??\h:	csaefuyf.exe
File opened (read-only)	\??\l:	csaefuyf.exe
File opened (read-only)	\??\y:	csaefuyf.exe
File opened (read-only)	\??\o:	veokwoutrz.exe
File opened (read-only)	\??\p:	veokwoutrz.exe
File opened (read-only)	\??\x:	csaefuyf.exe
File opened (read-only)	\??\g:	csaefuyf.exe
File opened (read-only)	\??\p:	csaefuyf.exe
File opened (read-only)	\??\x:	veokwoutrz.exe
File opened (read-only)	\??\a:	csaefuyf.exe
File opened (read-only)	\??\s:	csaefuyf.exe
File opened (read-only)	\??\z:	csaefuyf.exe
File opened (read-only)	\??\j:	csaefuyf.exe
File opened (read-only)	\??\m:	csaefuyf.exe
File opened (read-only)	\??\z:	csaefuyf.exe
File opened (read-only)	\??\w:	csaefuyf.exe
File opened (read-only)	\??\g:	veokwoutrz.exe
File opened (read-only)	\??\g:	csaefuyf.exe
File opened (read-only)	\??\e:	csaefuyf.exe
File opened (read-only)	\??\i:	csaefuyf.exe
File opened (read-only)	\??\r:	csaefuyf.exe
File opened (read-only)	\??\v:	veokwoutrz.exe
File opened (read-only)	\??\q:	csaefuyf.exe
File opened (read-only)	\??\q:	veokwoutrz.exe
File opened (read-only)	\??\s:	veokwoutrz.exe
File opened (read-only)	\??\h:	csaefuyf.exe
File opened (read-only)	\??\y:	csaefuyf.exe
File opened (read-only)	\??\v:	csaefuyf.exe
File opened (read-only)	\??\a:	veokwoutrz.exe
File opened (read-only)	\??\h:	veokwoutrz.exe
File opened (read-only)	\??\t:	veokwoutrz.exe
File opened (read-only)	\??\e:	csaefuyf.exe
File opened (read-only)	\??\j:	veokwoutrz.exe
File opened (read-only)	\??\n:	veokwoutrz.exe
File opened (read-only)	\??\t:	csaefuyf.exe
File opened (read-only)	\??\w:	csaefuyf.exe
File opened (read-only)	\??\o:	csaefuyf.exe
File opened (read-only)	\??\m:	veokwoutrz.exe
File opened (read-only)	\??\q:	csaefuyf.exe
File opened (read-only)	\??\t:	csaefuyf.exe
File opened (read-only)	\??\x:	csaefuyf.exe
File opened (read-only)	\??\k:	csaefuyf.exe
File opened (read-only)	\??\l:	csaefuyf.exe
File opened (read-only)	\??\o:	csaefuyf.exe
File opened (read-only)	\??\m:	csaefuyf.exe
File opened (read-only)	\??\s:	csaefuyf.exe
File opened (read-only)	\??\k:	veokwoutrz.exe
File opened (read-only)	\??\r:	veokwoutrz.exe
File opened (read-only)	\??\v:	csaefuyf.exe
File opened (read-only)	\??\n:	csaefuyf.exe
File opened (read-only)	\??\b:	veokwoutrz.exe
File opened (read-only)	\??\l:	veokwoutrz.exe
File opened (read-only)	\??\z:	veokwoutrz.exe
File opened (read-only)	\??\u:	csaefuyf.exe
File opened (read-only)	\??\e:	veokwoutrz.exe
File opened (read-only)	\??\i:	veokwoutrz.exe
File opened (read-only)	\??\w:	veokwoutrz.exe
File opened (read-only)	\??\i:	csaefuyf.exe
File opened (read-only)	\??\r:	csaefuyf.exe
File opened (read-only)	\??\b:	csaefuyf.exe
File opened (read-only)	\??\k:	csaefuyf.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	veokwoutrz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	veokwoutrz.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2356-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000c000000012738-5.dat	autoit_exe
behavioral1/files/0x000a00000001224a-17.dat	autoit_exe
behavioral1/files/0x000a00000001224a-20.dat	autoit_exe
behavioral1/files/0x000c000000012738-25.dat	autoit_exe
behavioral1/files/0x000a00000001224a-30.dat	autoit_exe
behavioral1/files/0x0007000000016441-39.dat	autoit_exe
behavioral1/files/0x003500000001604a-36.dat	autoit_exe
behavioral1/files/0x0007000000016441-41.dat	autoit_exe
behavioral1/files/0x0007000000016441-34.dat	autoit_exe
behavioral1/files/0x003500000001604a-32.dat	autoit_exe
behavioral1/files/0x000c000000012738-29.dat	autoit_exe
behavioral1/files/0x000c000000012738-21.dat	autoit_exe
behavioral1/files/0x003500000001604a-42.dat	autoit_exe
behavioral1/files/0x0006000000018b07-81.dat	autoit_exe
behavioral1/files/0x0006000000018b07-78.dat	autoit_exe
behavioral1/files/0x0006000000018b01-76.dat	autoit_exe
behavioral1/files/0x0006000000018b01-72.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\csaefuyf.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File created	C:\Windows\SysWOW64\zhjmgojxregxm.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File opened for modification	C:\Windows\SysWOW64\veokwoutrz.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File created	C:\Windows\SysWOW64\hegkknojjaobagy.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File opened for modification	C:\Windows\SysWOW64\hegkknojjaobagy.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	veokwoutrz.exe
File created	C:\Windows\SysWOW64\veokwoutrz.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File created	C:\Windows\SysWOW64\csaefuyf.exe	469c9f35d47dcbbdf7135c893430fa33.exe
File opened for modification	C:\Windows\SysWOW64\zhjmgojxregxm.exe	469c9f35d47dcbbdf7135c893430fa33.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	csaefuyf.exe
File opened for modification	C:\Program Files\UninstallClear.doc.exe	csaefuyf.exe
File opened for modification	C:\Program Files\UninstallClear.nal	csaefuyf.exe
File opened for modification	C:\Program Files\UninstallClear.nal	csaefuyf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	csaefuyf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	csaefuyf.exe
File opened for modification	\??\c:\Program Files\UninstallClear.doc.exe	csaefuyf.exe
File created	\??\c:\Program Files\UninstallClear.doc.exe	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	csaefuyf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	csaefuyf.exe
File opened for modification	\??\c:\Program Files\UninstallClear.doc.exe	csaefuyf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	csaefuyf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	csaefuyf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	csaefuyf.exe
File opened for modification	C:\Program Files\UninstallClear.doc.exe	csaefuyf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	csaefuyf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	csaefuyf.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	469c9f35d47dcbbdf7135c893430fa33.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFAB1F96AF192837B3B3086ED39E2B0FC028A4367033BE1CF42E709A3"	469c9f35d47dcbbdf7135c893430fa33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	veokwoutrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F26BC4FE1822DDD20ED0A88B08906A"	469c9f35d47dcbbdf7135c893430fa33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	veokwoutrz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1844C70C15E7DABEB8C87F95EDE737C9"	469c9f35d47dcbbdf7135c893430fa33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	469c9f35d47dcbbdf7135c893430fa33.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
268	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2564	csaefuyf.exe
2564	csaefuyf.exe
2564	csaefuyf.exe
2564	csaefuyf.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2148	hegkknojjaobagy.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2564	csaefuyf.exe
2564	csaefuyf.exe
2564	csaefuyf.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2356	469c9f35d47dcbbdf7135c893430fa33.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2148	hegkknojjaobagy.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2940	veokwoutrz.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2700	csaefuyf.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2760	zhjmgojxregxm.exe
2564	csaefuyf.exe
2564	csaefuyf.exe
2564	csaefuyf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
268	WINWORD.EXE
268	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2940	2356	469c9f35d47dcbbdf7135c893430fa33.exe	28
PID 2356 wrote to memory of 2940	2356	469c9f35d47dcbbdf7135c893430fa33.exe	28
PID 2356 wrote to memory of 2940	2356	469c9f35d47dcbbdf7135c893430fa33.exe	28
PID 2356 wrote to memory of 2940	2356	469c9f35d47dcbbdf7135c893430fa33.exe	28
PID 2356 wrote to memory of 2148	2356	469c9f35d47dcbbdf7135c893430fa33.exe	29
PID 2356 wrote to memory of 2148	2356	469c9f35d47dcbbdf7135c893430fa33.exe	29
PID 2356 wrote to memory of 2148	2356	469c9f35d47dcbbdf7135c893430fa33.exe	29
PID 2356 wrote to memory of 2148	2356	469c9f35d47dcbbdf7135c893430fa33.exe	29
PID 2356 wrote to memory of 2700	2356	469c9f35d47dcbbdf7135c893430fa33.exe	33
PID 2356 wrote to memory of 2700	2356	469c9f35d47dcbbdf7135c893430fa33.exe	33
PID 2356 wrote to memory of 2700	2356	469c9f35d47dcbbdf7135c893430fa33.exe	33
PID 2356 wrote to memory of 2700	2356	469c9f35d47dcbbdf7135c893430fa33.exe	33
PID 2356 wrote to memory of 2760	2356	469c9f35d47dcbbdf7135c893430fa33.exe	32
PID 2356 wrote to memory of 2760	2356	469c9f35d47dcbbdf7135c893430fa33.exe	32
PID 2356 wrote to memory of 2760	2356	469c9f35d47dcbbdf7135c893430fa33.exe	32
PID 2356 wrote to memory of 2760	2356	469c9f35d47dcbbdf7135c893430fa33.exe	32
PID 2148 wrote to memory of 2852	2148	hegkknojjaobagy.exe	31
PID 2148 wrote to memory of 2852	2148	hegkknojjaobagy.exe	31
PID 2148 wrote to memory of 2852	2148	hegkknojjaobagy.exe	31
PID 2148 wrote to memory of 2852	2148	hegkknojjaobagy.exe	31
PID 2940 wrote to memory of 2564	2940	veokwoutrz.exe	34
PID 2940 wrote to memory of 2564	2940	veokwoutrz.exe	34
PID 2940 wrote to memory of 2564	2940	veokwoutrz.exe	34
PID 2940 wrote to memory of 2564	2940	veokwoutrz.exe	34
PID 2356 wrote to memory of 268	2356	469c9f35d47dcbbdf7135c893430fa33.exe	35
PID 2356 wrote to memory of 268	2356	469c9f35d47dcbbdf7135c893430fa33.exe	35
PID 2356 wrote to memory of 268	2356	469c9f35d47dcbbdf7135c893430fa33.exe	35
PID 2356 wrote to memory of 268	2356	469c9f35d47dcbbdf7135c893430fa33.exe	35
PID 268 wrote to memory of 1636	268	WINWORD.EXE	39
PID 268 wrote to memory of 1636	268	WINWORD.EXE	39
PID 268 wrote to memory of 1636	268	WINWORD.EXE	39
PID 268 wrote to memory of 1636	268	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe
"C:\Users\Admin\AppData\Local\Temp\469c9f35d47dcbbdf7135c893430fa33.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\veokwoutrz.exe
  veokwoutrz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\csaefuyf.exe
    C:\Windows\system32\csaefuyf.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2564
- C:\Windows\SysWOW64\hegkknojjaobagy.exe
  hegkknojjaobagy.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c zhjmgojxregxm.exe
    3⤵
    PID:2852
- C:\Windows\SysWOW64\zhjmgojxregxm.exe
  zhjmgojxregxm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2760
- C:\Windows\SysWOW64\csaefuyf.exe
  csaefuyf.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2700
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
54KB

MD5
f4032cd1c77a7d7d854897f17e5032d9

SHA1
fbab2edd210dd32775e2a4e187a901656b0dba6c

SHA256
e2171db6a9b8b607c815d016eed39dd45294a430eca71a72f0e9d0f5b90acd02

SHA512
133607cac5878b4d9b9ad855d8ab8dc0cca2f5cfce1cf55bd0358e6c59ecb2602de9247068d7cf9d05b6b8906900147216433947754418c5e89314ced8825b8f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
30KB

MD5
cfc1f955dcbd856a0c6ef4ecfa99feaa

SHA1
1f2b1d314d08e60134a0a666aa781f19577f147a

SHA256
a33953e397d90bd0863e9ca35d0c772596bbd4417c93e6ace4495956120178c1

SHA512
180d11bc45cf397dcc5682d8d39bc2b1230b896a25be11d7105332803996b04dda9ce309feddcd2acdc37c9a8cffb186c06f375a62df835320a9c85fa47e10c4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
64KB

MD5
47e3ccc2537e858b77e2d5fe7cc788d9

SHA1
a12fb8f3694bc8ab6f0444cadb5387325d2ac3eb

SHA256
a70d1a38e9657a4cb843a3d53663dcef55265078d7222fafec24e881772cf401

SHA512
1b59a9d6671d66f98e5ae9194882e39f5dbb2bad34cde7766fb56642a722a064335f003564ad8f89d385f8a3696817916df6a36cc23ce6502a06871d4cf439fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
08603bd55786751800fafc6f7e386a2e

SHA1
258f7020aef714a9c2929b19b71fe300cde63aa1

SHA256
a87f3d3da301a3fe973acefd09765c3967a327075943d605d1f1ef113b4d17d1

SHA512
82a97606e03e6157d07f383649e62f31144b4672be70a69ad698dc24f21aebb53f26896a0b68b7dc10f09645ed29b8f93f8e0251040af1b87cac333aa2677357

Download Submit
C:\Windows\SysWOW64\csaefuyf.exe

Filesize
484KB

MD5
c20b22a4d25384d8a0cd66d1f0bfcaab

SHA1
028106f49f28d18cc00a78330e8284c0a67faf06

SHA256
99da1f9baf086f6abfdf7649ae47abc1f7d3bf19f312094782a60a89f2b0db45

SHA512
936895a3dc399433cb1c15b4bd04f514d875e7e45f682a8675c706dba54762a6fb512d3846fb2668ad3227ed6e3ac07124e75c729b94b10e04bdfd1675d6fb47

Download Submit
C:\Windows\SysWOW64\csaefuyf.exe

Filesize
161KB

MD5
1a4f75add49bb607e1b39fd1f7f8bff9

SHA1
08fde774f69d0ef1ddca8981ccd4717065326949

SHA256
07b9f429b14f5b0aa31ed181014568942c8afadc0d13b59919be98c821cd6658

SHA512
e860066d61c164ad28802e6a0168db2a03e96e6ac1c264b1502ec43e58e6ff85c98aba9205851e61e42f750c5899ea6c2d6251d2ff6ff981c440939e6e15c070

Download Submit
C:\Windows\SysWOW64\hegkknojjaobagy.exe

Filesize
365KB

MD5
50f04569c229914edb77d0b53d5b130f

SHA1
2a518b3f9abac577f81b76583a5512ff4efbf883

SHA256
51d2703581fd83a5831ac168e9d48a19465e167f1d5146059642225ebc3d8281

SHA512
3ae0c2db8d308c1681a5927637c501b5c9c05743bf91ae1574b8dec4ff6cdc2535f83513b8f2432b5587193d497852c93204de2b41f8adae54849543ba692b82

Download Submit
C:\Windows\SysWOW64\hegkknojjaobagy.exe

Filesize
291KB

MD5
775db6a457f607f8ec9aef8d4462b799

SHA1
9582f883b5db2e150fc46fa88a375b3471f689f1

SHA256
ac2c20ff78912b2f140cdad9bc05c7ec0922ac3978c2bd0031b7c821bbe699e1

SHA512
d457ff0343e80303bcf70e95ddcad8951d70d5c03bd79ad0de51e6c4f7ebcaa613880548bf27f71ab36422fa862f9b7c3d228be0f776332ab4e62447e7d145cf

Download Submit
C:\Windows\SysWOW64\hegkknojjaobagy.exe

Filesize
306KB

MD5
10665347c243dd575cf456a1ccabf8d3

SHA1
001f80cb5b1a1d93179169d63ec148cb8a8235df

SHA256
fd7c996e7abd651fcc187899e9d838adec3bd6796989ea9d86aff731dfee7931

SHA512
bbc5cffe1c529aabcfa5031d704d89b1bd78102d8ddbb446afb502a723ad449d89c29177b81348086c55ff0365a88a225c32d553fef85bcd0d3b098b512f270c

Download Submit
C:\Windows\SysWOW64\veokwoutrz.exe

Filesize
253KB

MD5
97e963d23f6c5fdc7a0d21bb35ffa1b2

SHA1
f59a373d716baba0f598f023174e79675723334f

SHA256
dedc2c6c545ea650d51a3b36fc5e94962dc52d8ccecd835de0caf3af0028bc1f

SHA512
f5c893c32aa4ded2bbb56e37a43afb3e43ebe74d6e3373cf118e1ddd9b28e596de3103b8c55cf46c86b6d086a47bd5558e1a5bbfd66412d94240d88f0cf7d0c1

Download Submit
C:\Windows\SysWOW64\veokwoutrz.exe

Filesize
206KB

MD5
08f765d4f6a44b2943fdaa4767415e91

SHA1
512528ddfbfce4b5fb99b04a0935a0a6983c014f

SHA256
50bc5d74ec19d9c4be64975c36c6a3bdee9b3e000ec8e6c6bb497716a3fb7e03

SHA512
e9de2735e32c23b2c6c979e43527aa5208d9674c88b89a9323f94341895777c19fe633cab4c1f5d9b7439f48108da5c999e2987f6f56c4db9588ae80fb8fbc15

Download Submit
C:\Windows\SysWOW64\zhjmgojxregxm.exe

Filesize
347KB

MD5
d084325687bb449e4bfae8c3b6ea911d

SHA1
94c53a9a6a4d647489a13595d125ecf04d07609d

SHA256
b699b4641abc2b553f57a41a47acc1ec0e5db27b30a6c6f684d3da2b838b9364

SHA512
e4f516a0784ec8841f7a6a60c5d432b28fc5bf0c0c59ca4c9985a71a7b266f9a58de78d145c39375d6ea989d8d75d4a0a13bddc26212664cbe2ccfef2a90739c

Download Submit
C:\Windows\SysWOW64\zhjmgojxregxm.exe

Filesize
97KB

MD5
cb1e37785b27efb00cb958ea6f4f3789

SHA1
2ea3047a81f06aea3293cf9042babdc02bbefc52

SHA256
88bd6706fbd94e35a6e73c9eee983e9c840c8f2ad05533ec41d2855e9bc38907

SHA512
cd140c5c077314582814cc9092a9a9eff83b6356b1b1166aad5d0e509767423772eab4e167ccb9d48e14669e6588c291b29c138a3070da6f19b99e226da639dc

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\csaefuyf.exe

Filesize
512KB

MD5
afb8469eadd91b177c6b256a587878a5

SHA1
e210315d22a664ad8a3b171c2955f3bae1829e11

SHA256
0eafc6841a70482339bc68cc4e47797fadcd37b30cb3259969545a32c7d48d64

SHA512
9fd1de0392d29e8299aea64980edd937f63d1b99e03e6e87fd308dce53133279d909dc93ca3f949d54efb9dd5951b72cdf9a4760a84457a1197cf3f1b3ca1042

Download Submit
\Windows\SysWOW64\hegkknojjaobagy.exe

Filesize
296KB

MD5
ff7ff3fd8e8d4417e43f9d3a75c42da3

SHA1
08a07be1579608414d85a0053fdfd4f9b189e464

SHA256
63c928c15b81ffcb9c803fd637108acac3356c846a58f36d04409e1b81038c81

SHA512
54bae0811ab753505406b3686c0ed39a56c33619c78ef737421cd0f18a94b193ba37ec8563bec06e5c0af718227cb05af69a6719950a59682f0384da30b3f63a

Download Submit
\Windows\SysWOW64\veokwoutrz.exe

Filesize
512KB

MD5
854111985a818a29a09b6a0ac28a3605

SHA1
8c876d67327e3652c18a644b457a84976b0a24b9

SHA256
756371765752f132c0e5af598fc31d140176997ed834794883d3d497758a38b5

SHA512
fdf58b1dc6f9d295733d4150b3e46e2d80952b6fe5d50d1a267bcf1563bddc37a2fb2e70e9fa922ef030e9790d2d783044283e445115011c22d85f6394817bfd

Download Submit
\Windows\SysWOW64\zhjmgojxregxm.exe

Filesize
290KB

MD5
122c01d5b011347216f191e3a68a7430

SHA1
76eef2667b0ec1a4924600bf00bec20c29ddef4b

SHA256
455dad73d4138cc72445644c9be19a34591324fa1b07acabd8773c581133861d

SHA512
8b625cdbf4d20eddac8c50712eafc7ef1bde50d1f186bba793c520b146b73c377750b661732f2d75bd306a030b0c9003232935fc837eb1a6d213f0770408f65d

Download Submit
memory/268-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/268-70-0x0000000070D8D000-0x0000000070D98000-memory.dmp

Filesize
44KB

Download
memory/268-47-0x0000000070D8D000-0x0000000070D98000-memory.dmp

Filesize
44KB

Download
memory/268-45-0x000000002FB01000-0x000000002FB02000-memory.dmp

Filesize
4KB

Download
memory/268-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/268-103-0x0000000070D8D000-0x0000000070D98000-memory.dmp

Filesize
44KB

Download
memory/2356-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download