0db52b09c8c7c64c51c8923c1c7580e2f27b70e91172b00b20ccdceab99dfb33

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7822ab79c42b8084d8e1ea3b498d6828.exe
Size

512KB
MD5

7822ab79c42b8084d8e1ea3b498d6828
SHA1

4ba32b1fe142cc8fcffb4fd5d3947ad78920e016
SHA256

0db52b09c8c7c64c51c8923c1c7580e2f27b70e91172b00b20ccdceab99dfb33
SHA512

d4fa69712661dd9c5125d770a8944f9a06f09d325c6393d4177f1c94fc246f5bd00a451dc24702bbd7875ffa719eea5c0d2ecf6b2ff3fd22b3d743cc4f8e7a85
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ulxorurwts.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ulxorurwts.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ulxorurwts.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ulxorurwts.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2836	ulxorurwts.exe
2868	qipaaydeizpyype.exe
2732	lqdhlpbk.exe
2892	aitqcpihkvpfq.exe
2612	lqdhlpbk.exe

Loads dropped DLL 5 IoCs

pid	Process
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2836	ulxorurwts.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ulxorurwts.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yydfyjmi = "ulxorurwts.exe"	qipaaydeizpyype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbptqnyd = "qipaaydeizpyype.exe"	qipaaydeizpyype.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "aitqcpihkvpfq.exe"	qipaaydeizpyype.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	lqdhlpbk.exe
File opened (read-only)	\??\l:	ulxorurwts.exe
File opened (read-only)	\??\t:	lqdhlpbk.exe
File opened (read-only)	\??\g:	ulxorurwts.exe
File opened (read-only)	\??\y:	ulxorurwts.exe
File opened (read-only)	\??\i:	lqdhlpbk.exe
File opened (read-only)	\??\w:	lqdhlpbk.exe
File opened (read-only)	\??\q:	lqdhlpbk.exe
File opened (read-only)	\??\r:	lqdhlpbk.exe
File opened (read-only)	\??\a:	ulxorurwts.exe
File opened (read-only)	\??\g:	lqdhlpbk.exe
File opened (read-only)	\??\l:	lqdhlpbk.exe
File opened (read-only)	\??\k:	lqdhlpbk.exe
File opened (read-only)	\??\y:	lqdhlpbk.exe
File opened (read-only)	\??\l:	lqdhlpbk.exe
File opened (read-only)	\??\g:	lqdhlpbk.exe
File opened (read-only)	\??\q:	ulxorurwts.exe
File opened (read-only)	\??\u:	ulxorurwts.exe
File opened (read-only)	\??\x:	lqdhlpbk.exe
File opened (read-only)	\??\e:	lqdhlpbk.exe
File opened (read-only)	\??\a:	lqdhlpbk.exe
File opened (read-only)	\??\v:	ulxorurwts.exe
File opened (read-only)	\??\o:	lqdhlpbk.exe
File opened (read-only)	\??\z:	lqdhlpbk.exe
File opened (read-only)	\??\n:	ulxorurwts.exe
File opened (read-only)	\??\o:	ulxorurwts.exe
File opened (read-only)	\??\p:	ulxorurwts.exe
File opened (read-only)	\??\z:	ulxorurwts.exe
File opened (read-only)	\??\u:	lqdhlpbk.exe
File opened (read-only)	\??\i:	lqdhlpbk.exe
File opened (read-only)	\??\y:	lqdhlpbk.exe
File opened (read-only)	\??\x:	ulxorurwts.exe
File opened (read-only)	\??\m:	lqdhlpbk.exe
File opened (read-only)	\??\q:	lqdhlpbk.exe
File opened (read-only)	\??\t:	lqdhlpbk.exe
File opened (read-only)	\??\m:	lqdhlpbk.exe
File opened (read-only)	\??\j:	ulxorurwts.exe
File opened (read-only)	\??\m:	ulxorurwts.exe
File opened (read-only)	\??\w:	lqdhlpbk.exe
File opened (read-only)	\??\w:	ulxorurwts.exe
File opened (read-only)	\??\s:	lqdhlpbk.exe
File opened (read-only)	\??\j:	lqdhlpbk.exe
File opened (read-only)	\??\v:	lqdhlpbk.exe
File opened (read-only)	\??\h:	ulxorurwts.exe
File opened (read-only)	\??\h:	lqdhlpbk.exe
File opened (read-only)	\??\r:	lqdhlpbk.exe
File opened (read-only)	\??\z:	lqdhlpbk.exe
File opened (read-only)	\??\s:	ulxorurwts.exe
File opened (read-only)	\??\k:	ulxorurwts.exe
File opened (read-only)	\??\p:	lqdhlpbk.exe
File opened (read-only)	\??\s:	lqdhlpbk.exe
File opened (read-only)	\??\i:	ulxorurwts.exe
File opened (read-only)	\??\r:	ulxorurwts.exe
File opened (read-only)	\??\t:	ulxorurwts.exe
File opened (read-only)	\??\e:	lqdhlpbk.exe
File opened (read-only)	\??\o:	lqdhlpbk.exe
File opened (read-only)	\??\a:	lqdhlpbk.exe
File opened (read-only)	\??\u:	lqdhlpbk.exe
File opened (read-only)	\??\x:	lqdhlpbk.exe
File opened (read-only)	\??\b:	ulxorurwts.exe
File opened (read-only)	\??\b:	lqdhlpbk.exe
File opened (read-only)	\??\h:	lqdhlpbk.exe
File opened (read-only)	\??\n:	lqdhlpbk.exe
File opened (read-only)	\??\p:	lqdhlpbk.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ulxorurwts.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ulxorurwts.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2264-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122fc-5.dat	autoit_exe
behavioral1/files/0x000c0000000122d5-17.dat	autoit_exe
behavioral1/files/0x002c000000014824-27.dat	autoit_exe
behavioral1/files/0x0007000000014bf8-41.dat	autoit_exe
behavioral1/files/0x0006000000015e2e-73.dat	autoit_exe
behavioral1/files/0x0006000000015ea1-77.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lqdhlpbk.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File created	C:\Windows\SysWOW64\aitqcpihkvpfq.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ulxorurwts.exe
File created	C:\Windows\SysWOW64\ulxorurwts.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File opened for modification	C:\Windows\SysWOW64\qipaaydeizpyype.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File created	C:\Windows\SysWOW64\lqdhlpbk.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File opened for modification	C:\Windows\SysWOW64\aitqcpihkvpfq.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File opened for modification	C:\Windows\SysWOW64\ulxorurwts.exe	7822ab79c42b8084d8e1ea3b498d6828.exe
File created	C:\Windows\SysWOW64\qipaaydeizpyype.exe	7822ab79c42b8084d8e1ea3b498d6828.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lqdhlpbk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lqdhlpbk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lqdhlpbk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lqdhlpbk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lqdhlpbk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lqdhlpbk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	lqdhlpbk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	7822ab79c42b8084d8e1ea3b498d6828.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC7B02B479539EA53B9B9D232E8D7CD"	7822ab79c42b8084d8e1ea3b498d6828.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	ulxorurwts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C60814E2DBBFB9BC7C93EC9734CD"	7822ab79c42b8084d8e1ea3b498d6828.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ulxorurwts.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	ulxorurwts.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2276	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2732	lqdhlpbk.exe
2732	lqdhlpbk.exe
2732	lqdhlpbk.exe
2732	lqdhlpbk.exe
2868	qipaaydeizpyype.exe
2612	lqdhlpbk.exe
2612	lqdhlpbk.exe
2612	lqdhlpbk.exe
2612	lqdhlpbk.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2868	qipaaydeizpyype.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe
Token: SeShutdownPrivilege	2252	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2868	qipaaydeizpyype.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2732	lqdhlpbk.exe
2732	lqdhlpbk.exe
2732	lqdhlpbk.exe
2612	lqdhlpbk.exe
2612	lqdhlpbk.exe
2612	lqdhlpbk.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2264	7822ab79c42b8084d8e1ea3b498d6828.exe
2868	qipaaydeizpyype.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2836	ulxorurwts.exe
2868	qipaaydeizpyype.exe
2868	qipaaydeizpyype.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2892	aitqcpihkvpfq.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe
2252	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2276	WINWORD.EXE
2276	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2836	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	28
PID 2264 wrote to memory of 2836	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	28
PID 2264 wrote to memory of 2836	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	28
PID 2264 wrote to memory of 2836	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	28
PID 2264 wrote to memory of 2868	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	29
PID 2264 wrote to memory of 2868	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	29
PID 2264 wrote to memory of 2868	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	29
PID 2264 wrote to memory of 2868	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	29
PID 2264 wrote to memory of 2732	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	30
PID 2264 wrote to memory of 2732	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	30
PID 2264 wrote to memory of 2732	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	30
PID 2264 wrote to memory of 2732	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	30
PID 2264 wrote to memory of 2892	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	31
PID 2264 wrote to memory of 2892	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	31
PID 2264 wrote to memory of 2892	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	31
PID 2264 wrote to memory of 2892	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	31
PID 2836 wrote to memory of 2612	2836	ulxorurwts.exe	32
PID 2836 wrote to memory of 2612	2836	ulxorurwts.exe	32
PID 2836 wrote to memory of 2612	2836	ulxorurwts.exe	32
PID 2836 wrote to memory of 2612	2836	ulxorurwts.exe	32
PID 2264 wrote to memory of 2276	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	33
PID 2264 wrote to memory of 2276	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	33
PID 2264 wrote to memory of 2276	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	33
PID 2264 wrote to memory of 2276	2264	7822ab79c42b8084d8e1ea3b498d6828.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828.exe
"C:\Users\Admin\AppData\Local\Temp\7822ab79c42b8084d8e1ea3b498d6828.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\SysWOW64\ulxorurwts.exe
  ulxorurwts.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\lqdhlpbk.exe
    C:\Windows\system32\lqdhlpbk.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2612
- C:\Windows\SysWOW64\qipaaydeizpyype.exe
  qipaaydeizpyype.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2868
- C:\Windows\SysWOW64\lqdhlpbk.exe
  lqdhlpbk.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2732
- C:\Windows\SysWOW64\aitqcpihkvpfq.exe
  aitqcpihkvpfq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2892
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2276

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
0c2cd520fe714f2804d5332fe77cf5b9

SHA1
d974581f2c5d130627d2e6274cdebe6bd74a2f18

SHA256
7720edfa77561c6c62491f27e8872296d2772a199fcd03377028569962e4da1d

SHA512
8e2d040febb31fd90c9a0652ac14f2e278dfb79ef1ed187a19cb73c231fab6476117ef6e0c16694e8d3582eb0cf0cfd234b0f553617c0f71ec3994190f0ec652

Download Submit
C:\Users\Admin\Desktop\ImportConfirm.doc.exe

Filesize
512KB

MD5
dc5495733149b4b7583911f2de6095f7

SHA1
03a7e144aca2cac65f11cffe66193b9beae55900

SHA256
e859539c8c5075fcc2da32b52ccc6a26496802af3fc2665c135a91393c6aec79

SHA512
d777be218efdcc2e150f075738a4c386247fb72e8960f8a7d382c956b8aafdc0fffddfd7c1d3a34f4febdc7e3b0f12c3340c3b53169e273493b5197b4dceacc8

Download Submit
C:\Windows\SysWOW64\aitqcpihkvpfq.exe

Filesize
512KB

MD5
fe53bb2b461b253e546861c7aa25c0ce

SHA1
2c8e295552dd893a3bd5b476455b3923386c2d98

SHA256
ba90a4229e13df0f55b7888d326748836e1cb14debf249dfb4c452011792e197

SHA512
70477c758c81326e01e68306b83934f31367e98ff6c77f28252af4f1f8f3867dcd25288056dbfc26da3e5451b0741706c44b373b1e972e06bdd8c4b61bc4341f

Download Submit
C:\Windows\SysWOW64\qipaaydeizpyype.exe

Filesize
512KB

MD5
b4bc8b7c1fcc1ccb88cfd8f65d003d17

SHA1
3b5fa9bdff2a3a7800c95a80baae6308ce2ef08c

SHA256
2fc02c02f38361380723035df7c9424c143be4e51bb41b0e394444de0aebed5e

SHA512
2278395d17400e0d5db44291825733d3291dcc1f809710243d5821cb2595b40dfc1365d65e9610132b526fa98fa44afdb3954cc128d5d7c9bb0bb8b56b23bcaf

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\lqdhlpbk.exe

Filesize
512KB

MD5
d2a03a70e9289f8929efdd03151f2486

SHA1
89bf5b3ed4eef84de5cc5830a68fd90cff4e36f2

SHA256
6bc676ccf44fda8b2642450d2d2d33a3f19a0b59a2ab40835c6fca8ee21537d7

SHA512
38eaaf272c3ecbe2977e2e5fbdb4ed0f9a67a226cd18e7d06a3cc6902036cf39ccdd81dbc1e628467febeaeb22b9150e8ca328014e6377dec14bb4811bf81c3d

Download Submit
\Windows\SysWOW64\ulxorurwts.exe

Filesize
512KB

MD5
80246307feecfbb4a8a11fa2b525c0f0

SHA1
d6d989b848efde35d735d3a65779ee66cf89cf8f

SHA256
126adf8d7cce301cf23728d92041c1915bda63d58bf0f4c35b8df18a9798f0ca

SHA512
1fb532a5dd29bb7cdc45d9605ca5d4f2a5637b17f27d537472d4de5f49cef6013a70603f270eb388c488ea0d221c54d459a3e4331063b1332270c0b2bb0337e0

Download Submit
memory/2252-81-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/2252-83-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/2252-89-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/2264-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2276-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2276-47-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/2276-45-0x000000002F891000-0x000000002F892000-memory.dmp

Filesize
4KB

Download
memory/2276-82-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download