312d5d5661561fe40af4281524c7a872f8b3f0ff26710a52efbec4a04825cfb6

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8454f9bd7d91e7b04eda20436dcebb5.exe
Size

512KB
MD5

b8454f9bd7d91e7b04eda20436dcebb5
SHA1

119374f36cd329d9ed74c44b36216056119ac9fd
SHA256

312d5d5661561fe40af4281524c7a872f8b3f0ff26710a52efbec4a04825cfb6
SHA512

07c680adfb17d7ec4da89c1560d488727a01baf107110a88cec9ec0c886fc94be0df3b589d73e723d6c286ea48fa1a99fe35eb329cc9c9e379e0516db6fe4187
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6E:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5R

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	rfrjaocudr.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rfrjaocudr.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rfrjaocudr.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rfrjaocudr.exe

Executes dropped EXE 5 IoCs

pid	Process
1456	rfrjaocudr.exe
1888	mxjfxtfbogfcnfe.exe
2172	dnvjyfzx.exe
2644	xtpxcvvaljdmr.exe
2812	dnvjyfzx.exe

Loads dropped DLL 5 IoCs

pid	Process
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
1456	rfrjaocudr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rfrjaocudr.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fcusfppa = "rfrjaocudr.exe"	mxjfxtfbogfcnfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fgpycksb = "mxjfxtfbogfcnfe.exe"	mxjfxtfbogfcnfe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xtpxcvvaljdmr.exe"	mxjfxtfbogfcnfe.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	rfrjaocudr.exe
File opened (read-only)	\??\q:	dnvjyfzx.exe
File opened (read-only)	\??\r:	dnvjyfzx.exe
File opened (read-only)	\??\e:	dnvjyfzx.exe
File opened (read-only)	\??\k:	dnvjyfzx.exe
File opened (read-only)	\??\t:	dnvjyfzx.exe
File opened (read-only)	\??\n:	rfrjaocudr.exe
File opened (read-only)	\??\i:	dnvjyfzx.exe
File opened (read-only)	\??\q:	dnvjyfzx.exe
File opened (read-only)	\??\z:	rfrjaocudr.exe
File opened (read-only)	\??\y:	dnvjyfzx.exe
File opened (read-only)	\??\w:	rfrjaocudr.exe
File opened (read-only)	\??\y:	rfrjaocudr.exe
File opened (read-only)	\??\j:	dnvjyfzx.exe
File opened (read-only)	\??\g:	dnvjyfzx.exe
File opened (read-only)	\??\n:	dnvjyfzx.exe
File opened (read-only)	\??\p:	dnvjyfzx.exe
File opened (read-only)	\??\x:	dnvjyfzx.exe
File opened (read-only)	\??\s:	rfrjaocudr.exe
File opened (read-only)	\??\b:	dnvjyfzx.exe
File opened (read-only)	\??\z:	dnvjyfzx.exe
File opened (read-only)	\??\b:	rfrjaocudr.exe
File opened (read-only)	\??\h:	rfrjaocudr.exe
File opened (read-only)	\??\v:	dnvjyfzx.exe
File opened (read-only)	\??\x:	dnvjyfzx.exe
File opened (read-only)	\??\r:	rfrjaocudr.exe
File opened (read-only)	\??\t:	rfrjaocudr.exe
File opened (read-only)	\??\s:	dnvjyfzx.exe
File opened (read-only)	\??\l:	dnvjyfzx.exe
File opened (read-only)	\??\m:	dnvjyfzx.exe
File opened (read-only)	\??\w:	dnvjyfzx.exe
File opened (read-only)	\??\y:	dnvjyfzx.exe
File opened (read-only)	\??\m:	rfrjaocudr.exe
File opened (read-only)	\??\b:	dnvjyfzx.exe
File opened (read-only)	\??\s:	dnvjyfzx.exe
File opened (read-only)	\??\l:	dnvjyfzx.exe
File opened (read-only)	\??\k:	rfrjaocudr.exe
File opened (read-only)	\??\o:	rfrjaocudr.exe
File opened (read-only)	\??\h:	dnvjyfzx.exe
File opened (read-only)	\??\g:	rfrjaocudr.exe
File opened (read-only)	\??\q:	rfrjaocudr.exe
File opened (read-only)	\??\z:	dnvjyfzx.exe
File opened (read-only)	\??\m:	dnvjyfzx.exe
File opened (read-only)	\??\u:	dnvjyfzx.exe
File opened (read-only)	\??\e:	rfrjaocudr.exe
File opened (read-only)	\??\l:	rfrjaocudr.exe
File opened (read-only)	\??\g:	dnvjyfzx.exe
File opened (read-only)	\??\w:	dnvjyfzx.exe
File opened (read-only)	\??\a:	dnvjyfzx.exe
File opened (read-only)	\??\a:	rfrjaocudr.exe
File opened (read-only)	\??\j:	rfrjaocudr.exe
File opened (read-only)	\??\x:	rfrjaocudr.exe
File opened (read-only)	\??\r:	dnvjyfzx.exe
File opened (read-only)	\??\t:	dnvjyfzx.exe
File opened (read-only)	\??\i:	dnvjyfzx.exe
File opened (read-only)	\??\i:	rfrjaocudr.exe
File opened (read-only)	\??\p:	rfrjaocudr.exe
File opened (read-only)	\??\v:	rfrjaocudr.exe
File opened (read-only)	\??\h:	dnvjyfzx.exe
File opened (read-only)	\??\u:	dnvjyfzx.exe
File opened (read-only)	\??\j:	dnvjyfzx.exe
File opened (read-only)	\??\o:	dnvjyfzx.exe
File opened (read-only)	\??\n:	dnvjyfzx.exe
File opened (read-only)	\??\p:	dnvjyfzx.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	rfrjaocudr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rfrjaocudr.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2720-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000800000001225f-5.dat	autoit_exe
behavioral1/files/0x000800000001222c-17.dat	autoit_exe
behavioral1/files/0x0009000000014b34-28.dat	autoit_exe
behavioral1/files/0x0007000000015262-34.dat	autoit_exe
behavioral1/files/0x0002000000003d1f-56.dat	autoit_exe
behavioral1/files/0x0002000000003d1e-54.dat	autoit_exe
behavioral1/files/0x000600000001663f-85.dat	autoit_exe
behavioral1/files/0x000600000001680a-89.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	rfrjaocudr.exe
File created	C:\Windows\SysWOW64\rfrjaocudr.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File created	C:\Windows\SysWOW64\mxjfxtfbogfcnfe.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File opened for modification	C:\Windows\SysWOW64\mxjfxtfbogfcnfe.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File opened for modification	C:\Windows\SysWOW64\dnvjyfzx.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File opened for modification	C:\Windows\SysWOW64\xtpxcvvaljdmr.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File opened for modification	C:\Windows\SysWOW64\rfrjaocudr.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File created	C:\Windows\SysWOW64\dnvjyfzx.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe
File created	C:\Windows\SysWOW64\xtpxcvvaljdmr.exe	b8454f9bd7d91e7b04eda20436dcebb5.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dnvjyfzx.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files\EnterTrace.doc.exe	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EnterTrace.doc.exe	dnvjyfzx.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EditUnprotect.nal	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files\EditUnprotect.doc.exe	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files\EditUnprotect.doc.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	dnvjyfzx.exe
File created	\??\c:\Program Files\EnterTrace.doc.exe	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files\EnterTrace.doc.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EnterTrace.nal	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dnvjyfzx.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	dnvjyfzx.exe
File created	\??\c:\Program Files\EditUnprotect.doc.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EditUnprotect.doc.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EnterTrace.nal	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EditUnprotect.nal	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	dnvjyfzx.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EnterTrace.doc.exe	dnvjyfzx.exe
File opened for modification	C:\Program Files\EditUnprotect.doc.exe	dnvjyfzx.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	b8454f9bd7d91e7b04eda20436dcebb5.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	rfrjaocudr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	rfrjaocudr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15D449339E852BEBAD4339FD4CE"	b8454f9bd7d91e7b04eda20436dcebb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	rfrjaocudr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF9FC834F5B82199142D6217E93BD97E147593667436333D6ED"	b8454f9bd7d91e7b04eda20436dcebb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	rfrjaocudr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	rfrjaocudr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32412C7E9D5283556A4676A670252DDB7DF365DB"	b8454f9bd7d91e7b04eda20436dcebb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	rfrjaocudr.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2572	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
1888	mxjfxtfbogfcnfe.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
2720	b8454f9bd7d91e7b04eda20436dcebb5.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1456	rfrjaocudr.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
1888	mxjfxtfbogfcnfe.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
2172	dnvjyfzx.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2644	xtpxcvvaljdmr.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe
2812	dnvjyfzx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2572	WINWORD.EXE
2572	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 1456	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	28
PID 2720 wrote to memory of 1456	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	28
PID 2720 wrote to memory of 1456	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	28
PID 2720 wrote to memory of 1456	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	28
PID 2720 wrote to memory of 1888	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	29
PID 2720 wrote to memory of 1888	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	29
PID 2720 wrote to memory of 1888	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	29
PID 2720 wrote to memory of 1888	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	29
PID 2720 wrote to memory of 2172	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	30
PID 2720 wrote to memory of 2172	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	30
PID 2720 wrote to memory of 2172	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	30
PID 2720 wrote to memory of 2172	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	30
PID 1888 wrote to memory of 2900	1888	mxjfxtfbogfcnfe.exe	32
PID 1888 wrote to memory of 2900	1888	mxjfxtfbogfcnfe.exe	32
PID 1888 wrote to memory of 2900	1888	mxjfxtfbogfcnfe.exe	32
PID 1888 wrote to memory of 2900	1888	mxjfxtfbogfcnfe.exe	32
PID 2720 wrote to memory of 2644	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	31
PID 2720 wrote to memory of 2644	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	31
PID 2720 wrote to memory of 2644	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	31
PID 2720 wrote to memory of 2644	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	31
PID 1456 wrote to memory of 2812	1456	rfrjaocudr.exe	34
PID 1456 wrote to memory of 2812	1456	rfrjaocudr.exe	34
PID 1456 wrote to memory of 2812	1456	rfrjaocudr.exe	34
PID 1456 wrote to memory of 2812	1456	rfrjaocudr.exe	34
PID 2720 wrote to memory of 2572	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	35
PID 2720 wrote to memory of 2572	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	35
PID 2720 wrote to memory of 2572	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	35
PID 2720 wrote to memory of 2572	2720	b8454f9bd7d91e7b04eda20436dcebb5.exe	35
PID 2572 wrote to memory of 2800	2572	WINWORD.EXE	38
PID 2572 wrote to memory of 2800	2572	WINWORD.EXE	38
PID 2572 wrote to memory of 2800	2572	WINWORD.EXE	38
PID 2572 wrote to memory of 2800	2572	WINWORD.EXE	38

C:\Users\Admin\AppData\Local\Temp\b8454f9bd7d91e7b04eda20436dcebb5.exe
"C:\Users\Admin\AppData\Local\Temp\b8454f9bd7d91e7b04eda20436dcebb5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\rfrjaocudr.exe
  rfrjaocudr.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\SysWOW64\dnvjyfzx.exe
    C:\Windows\system32\dnvjyfzx.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2812
- C:\Windows\SysWOW64\mxjfxtfbogfcnfe.exe
  mxjfxtfbogfcnfe.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c xtpxcvvaljdmr.exe
    3⤵
    PID:2900
- C:\Windows\SysWOW64\dnvjyfzx.exe
  dnvjyfzx.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2172
- C:\Windows\SysWOW64\xtpxcvvaljdmr.exe
  xtpxcvvaljdmr.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2644
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
15c573bc24c4fc940e0eec0e44d8a226

SHA1
2f33197fbc50b950170f2e44aaf9c6fe2d2857e4

SHA256
6fed0fbd17e72a968bc0124f3f6d53d54aef704641bb95bf9981652fcb6061bb

SHA512
c77385b7420c51cb1faee0c198677b8427789c501250e732a6e9d0ce1622f4ec167f9a7cff8aef4fd173e199375cb949c87078fceda3a72fd5487164a510cb22

Download Submit
C:\Program Files\EditUnprotect.doc.exe

Filesize
512KB

MD5
7d72b7a474170f7ab491d5634c97315f

SHA1
940a8ec569dbd39abaade1ebc3a913b2584447ce

SHA256
fe4f372e13c4f7bb8125a34b1a07afa4a3e7bf864c9dbc02f6288e89933fe616

SHA512
fd09076ac57bb4a356f5d1dc9d2402c0445867a20ce790be01d1b76d9324b3d4285c5a3afd02945f381389d4badaa0cba1a2e3d5090cd1f325a40353fd762fa2

Download Submit
C:\Program Files\EnterTrace.doc.exe

Filesize
512KB

MD5
76095f3dfa9cddf6866aed5432a87516

SHA1
61a1e4f3e8c9c4b7fc7528e491c0970e4e87f9fd

SHA256
22cedaddd9db0832a27272fd5ccf66e68c0d94a8234d4d3cc54b74e215f43899

SHA512
e9212cf27800ff57a375962c33c40d5e77f5c028ecc8049456d04b078742df2e9a2e2c3785307879e6bfb077cc8fb5ebb25d25cb42ad3f8d98eb8574fee0a6fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
a467db00b41666b599b8c6597bab793e

SHA1
ee3380f599c3827e925c8621ddfc4a9c86b3972b

SHA256
3366b9a85e85edbdde58c2f49103d326a6987e5dbe8c5ce1aaf2d6d91e312ab3

SHA512
98734a9ee705af908ca0a9e13476692f6dbd91a753401146bcaf3b907454a799531ce0737253b815772edbf90022409861fcbe6240dbc0b197b8dd9a41f3e3b4

Download Submit
C:\Users\Admin\AppData\Roaming\UpdateSplit.doc.exe

Filesize
512KB

MD5
3b51332d1392e99337b8bff699cfe8ab

SHA1
7026d9ebe69432f40f43276e861af88a9b60fbe9

SHA256
823ddf58bc18e90f11dca93100d7ae3ac1644813637657eb05e437293c38201c

SHA512
d057cb5d73ef572f30b7ef3cc4cae96edeb6344fa1c44c9b6a24a931e9d597336cf802c4f08131ea09d31117a57a1d875b102ecab0fe081d9848c7f857dc3f93

Download Submit
C:\Windows\SysWOW64\mxjfxtfbogfcnfe.exe

Filesize
512KB

MD5
a934404bf3c75082dc0c470338cb51ba

SHA1
c38c9f51d2d9241e90fc9ef0f0de56e5a356fc73

SHA256
f9d31a5ce4ae144d05a842a18fa3fb3bb8d42b2fd8c828a8ff25c5e961e503ad

SHA512
c3af99722377d7e00bec81eead3edf20b00ac3db71c684cc4b2f9181446352c3bef30b29c9fc9511de3a76cc63edc8bf0b4ad9109a880c39db1ac1a38c0889d5

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\dnvjyfzx.exe

Filesize
512KB

MD5
7c14d573f4cd4e11a3965111e0477001

SHA1
8d87f76e3de056966a5a4e37be41ab5e0c63f463

SHA256
1f0be0f05ff9b937889c9abbd79609c03c36fe73b48cf11b6d218efba8400f14

SHA512
4b52b56ac8c3613c74c75a1acc59c1bfde14f70d4e8c9cf1faeee14fe76528a83540fcbe259aaec4bd0255a3b496f63bd119cd704e11fcab3bfc65eeb711905f

Download Submit
\Windows\SysWOW64\rfrjaocudr.exe

Filesize
512KB

MD5
3c3bafa152a1d7e1c7e2f379cfcd62ef

SHA1
87ab605bee9a58f956ec99fbbe1c386ef65a9e81

SHA256
0ab7d690fc6e1b87719a81efa1d18751f948b0befcf048c1a54801700994b675

SHA512
e98d09d76f6a8474c7aeb224e499ecd79eaff59395ffa1f5c2e97b970c9514dd6c893518f722ff99bc6c86255e02246270d4177cb89eae1bd4ffd61cc54c204a

Download Submit
\Windows\SysWOW64\xtpxcvvaljdmr.exe

Filesize
512KB

MD5
6ec15fd55a4c90b60b5df9f97bd525f9

SHA1
a71449c00d35e5b45a5259f96b249bc5d4bcaf0d

SHA256
e3461b8a697d5df0b7343bac26714ad13d52c576788b01568ca106adcaba0b3b

SHA512
08577a5272700d4a797d98a13de2b9d0fd67f434b04b768e79323cec6d6111e6ce78ccb6ff43ea11c147f9facfb6a778f2a1b36c34b3c513c551124155ef6bdd

Download Submit
memory/2572-59-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/2572-58-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2572-45-0x000000002FF61000-0x000000002FF62000-memory.dmp

Filesize
4KB

Download
memory/2572-96-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/2572-117-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download