a96605e0b5c535b2aa7fe9c530a7b75c2b9f2ff5fcac7cbe1a3f5337631f68a2

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 15:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d67add1de2a10c7e5f9eb64ed143005e.exe
Size

512KB
MD5

d67add1de2a10c7e5f9eb64ed143005e
SHA1

c13cba438d4c6def213d16b348f8066a9568f44d
SHA256

a96605e0b5c535b2aa7fe9c530a7b75c2b9f2ff5fcac7cbe1a3f5337631f68a2
SHA512

a109a3dc77727269ba8c8c6c9036a8c835ce0f2896886b9efa3c18e86e28174678cdeb8ef3739131175167f306f0300e6575b7972837aabe647dc73e01173223
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5+

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	clylvbxlvn.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	clylvbxlvn.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	clylvbxlvn.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	clylvbxlvn.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2600	clylvbxlvn.exe
2584	baquhikosceyooy.exe
2396	vyqhoofe.exe
2680	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2464	vyqhoofe.exe

Loads dropped DLL 6 IoCs

pid	Process
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2612	cmd.exe
2600	clylvbxlvn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	clylvbxlvn.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qrpnabis = "clylvbxlvn.exe"	baquhikosceyooy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lzzhvwze = "baquhikosceyooy.exe"	baquhikosceyooy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fgsxeedrzlfje.exe"	baquhikosceyooy.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	vyqhoofe.exe
File opened (read-only)	\??\h:	vyqhoofe.exe
File opened (read-only)	\??\s:	vyqhoofe.exe
File opened (read-only)	\??\u:	vyqhoofe.exe
File opened (read-only)	\??\i:	vyqhoofe.exe
File opened (read-only)	\??\m:	clylvbxlvn.exe
File opened (read-only)	\??\o:	clylvbxlvn.exe
File opened (read-only)	\??\z:	clylvbxlvn.exe
File opened (read-only)	\??\s:	vyqhoofe.exe
File opened (read-only)	\??\t:	vyqhoofe.exe
File opened (read-only)	\??\k:	vyqhoofe.exe
File opened (read-only)	\??\j:	vyqhoofe.exe
File opened (read-only)	\??\o:	vyqhoofe.exe
File opened (read-only)	\??\y:	clylvbxlvn.exe
File opened (read-only)	\??\g:	vyqhoofe.exe
File opened (read-only)	\??\r:	vyqhoofe.exe
File opened (read-only)	\??\w:	vyqhoofe.exe
File opened (read-only)	\??\n:	vyqhoofe.exe
File opened (read-only)	\??\w:	vyqhoofe.exe
File opened (read-only)	\??\b:	clylvbxlvn.exe
File opened (read-only)	\??\l:	clylvbxlvn.exe
File opened (read-only)	\??\u:	clylvbxlvn.exe
File opened (read-only)	\??\q:	vyqhoofe.exe
File opened (read-only)	\??\r:	vyqhoofe.exe
File opened (read-only)	\??\g:	clylvbxlvn.exe
File opened (read-only)	\??\w:	clylvbxlvn.exe
File opened (read-only)	\??\v:	vyqhoofe.exe
File opened (read-only)	\??\v:	vyqhoofe.exe
File opened (read-only)	\??\i:	clylvbxlvn.exe
File opened (read-only)	\??\x:	clylvbxlvn.exe
File opened (read-only)	\??\p:	vyqhoofe.exe
File opened (read-only)	\??\n:	vyqhoofe.exe
File opened (read-only)	\??\q:	vyqhoofe.exe
File opened (read-only)	\??\b:	vyqhoofe.exe
File opened (read-only)	\??\z:	vyqhoofe.exe
File opened (read-only)	\??\t:	clylvbxlvn.exe
File opened (read-only)	\??\v:	clylvbxlvn.exe
File opened (read-only)	\??\j:	vyqhoofe.exe
File opened (read-only)	\??\u:	vyqhoofe.exe
File opened (read-only)	\??\o:	vyqhoofe.exe
File opened (read-only)	\??\y:	vyqhoofe.exe
File opened (read-only)	\??\l:	vyqhoofe.exe
File opened (read-only)	\??\n:	clylvbxlvn.exe
File opened (read-only)	\??\p:	clylvbxlvn.exe
File opened (read-only)	\??\m:	vyqhoofe.exe
File opened (read-only)	\??\y:	vyqhoofe.exe
File opened (read-only)	\??\l:	vyqhoofe.exe
File opened (read-only)	\??\t:	vyqhoofe.exe
File opened (read-only)	\??\z:	vyqhoofe.exe
File opened (read-only)	\??\g:	vyqhoofe.exe
File opened (read-only)	\??\a:	clylvbxlvn.exe
File opened (read-only)	\??\a:	vyqhoofe.exe
File opened (read-only)	\??\m:	vyqhoofe.exe
File opened (read-only)	\??\x:	vyqhoofe.exe
File opened (read-only)	\??\e:	clylvbxlvn.exe
File opened (read-only)	\??\j:	clylvbxlvn.exe
File opened (read-only)	\??\a:	vyqhoofe.exe
File opened (read-only)	\??\p:	vyqhoofe.exe
File opened (read-only)	\??\e:	vyqhoofe.exe
File opened (read-only)	\??\k:	vyqhoofe.exe
File opened (read-only)	\??\k:	clylvbxlvn.exe
File opened (read-only)	\??\q:	clylvbxlvn.exe
File opened (read-only)	\??\s:	clylvbxlvn.exe
File opened (read-only)	\??\h:	vyqhoofe.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	clylvbxlvn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	clylvbxlvn.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2248-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d000000012324-5.dat	autoit_exe
behavioral1/files/0x000b00000001224d-17.dat	autoit_exe
behavioral1/files/0x0035000000013413-27.dat	autoit_exe
behavioral1/files/0x0008000000013a3a-38.dat	autoit_exe
behavioral1/files/0x0006000000014a9a-72.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\clylvbxlvn.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File opened for modification	C:\Windows\SysWOW64\baquhikosceyooy.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File created	C:\Windows\SysWOW64\vyqhoofe.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File opened for modification	C:\Windows\SysWOW64\vyqhoofe.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File opened for modification	C:\Windows\SysWOW64\fgsxeedrzlfje.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File opened for modification	C:\Windows\SysWOW64\clylvbxlvn.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File created	C:\Windows\SysWOW64\baquhikosceyooy.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File created	C:\Windows\SysWOW64\fgsxeedrzlfje.exe	d67add1de2a10c7e5f9eb64ed143005e.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	clylvbxlvn.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vyqhoofe.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vyqhoofe.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vyqhoofe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vyqhoofe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vyqhoofe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vyqhoofe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vyqhoofe.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	d67add1de2a10c7e5f9eb64ed143005e.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC77B1491DAB3B9B97FE3EC9434CC"	d67add1de2a10c7e5f9eb64ed143005e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	clylvbxlvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	clylvbxlvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	clylvbxlvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	clylvbxlvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	clylvbxlvn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	clylvbxlvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	clylvbxlvn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	clylvbxlvn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8CFFFB4F5A8219913DD75B7D91BCEFE641594B67416334D791"	d67add1de2a10c7e5f9eb64ed143005e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1700	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2584	baquhikosceyooy.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2464	vyqhoofe.exe
2464	vyqhoofe.exe
2464	vyqhoofe.exe
2464	vyqhoofe.exe
2584	baquhikosceyooy.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2584	baquhikosceyooy.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2584	baquhikosceyooy.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2584	baquhikosceyooy.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2584	baquhikosceyooy.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe
Token: SeShutdownPrivilege	2304	explorer.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2464	vyqhoofe.exe
2464	vyqhoofe.exe
2464	vyqhoofe.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2248	d67add1de2a10c7e5f9eb64ed143005e.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2584	baquhikosceyooy.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2600	clylvbxlvn.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2396	vyqhoofe.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2400	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2680	fgsxeedrzlfje.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe
2304	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	WINWORD.EXE
1700	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2600	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	28
PID 2248 wrote to memory of 2600	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	28
PID 2248 wrote to memory of 2600	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	28
PID 2248 wrote to memory of 2600	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	28
PID 2248 wrote to memory of 2584	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	29
PID 2248 wrote to memory of 2584	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	29
PID 2248 wrote to memory of 2584	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	29
PID 2248 wrote to memory of 2584	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	29
PID 2248 wrote to memory of 2396	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	30
PID 2248 wrote to memory of 2396	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	30
PID 2248 wrote to memory of 2396	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	30
PID 2248 wrote to memory of 2396	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	30
PID 2248 wrote to memory of 2680	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	31
PID 2248 wrote to memory of 2680	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	31
PID 2248 wrote to memory of 2680	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	31
PID 2248 wrote to memory of 2680	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	31
PID 2584 wrote to memory of 2612	2584	baquhikosceyooy.exe	32
PID 2584 wrote to memory of 2612	2584	baquhikosceyooy.exe	32
PID 2584 wrote to memory of 2612	2584	baquhikosceyooy.exe	32
PID 2584 wrote to memory of 2612	2584	baquhikosceyooy.exe	32
PID 2612 wrote to memory of 2400	2612	cmd.exe	34
PID 2612 wrote to memory of 2400	2612	cmd.exe	34
PID 2612 wrote to memory of 2400	2612	cmd.exe	34
PID 2612 wrote to memory of 2400	2612	cmd.exe	34
PID 2600 wrote to memory of 2464	2600	clylvbxlvn.exe	35
PID 2600 wrote to memory of 2464	2600	clylvbxlvn.exe	35
PID 2600 wrote to memory of 2464	2600	clylvbxlvn.exe	35
PID 2600 wrote to memory of 2464	2600	clylvbxlvn.exe	35
PID 2248 wrote to memory of 1700	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	36
PID 2248 wrote to memory of 1700	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	36
PID 2248 wrote to memory of 1700	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	36
PID 2248 wrote to memory of 1700	2248	d67add1de2a10c7e5f9eb64ed143005e.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d67add1de2a10c7e5f9eb64ed143005e.exe
"C:\Users\Admin\AppData\Local\Temp\d67add1de2a10c7e5f9eb64ed143005e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\clylvbxlvn.exe
  clylvbxlvn.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\vyqhoofe.exe
    C:\Windows\system32\vyqhoofe.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2464
- C:\Windows\SysWOW64\baquhikosceyooy.exe
  baquhikosceyooy.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c fgsxeedrzlfje.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\fgsxeedrzlfje.exe
      fgsxeedrzlfje.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2400
- C:\Windows\SysWOW64\vyqhoofe.exe
  vyqhoofe.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2396
- C:\Windows\SysWOW64\fgsxeedrzlfje.exe
  fgsxeedrzlfje.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2680
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1700

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
8fe937418fc7daf74a1252c45a049b9a

SHA1
2e1e596afe26a1c3c7fed9d18bf701900ffa94a9

SHA256
6c0212c7e857d24e3affae2f1fa914126a553b3c3f91589b30177e4508a38319

SHA512
71573c6468fa3315523790a92b3ece606503c0a3f5938ab3a1843d8153a9e4e529480f8cbd66f52a49d4bcb6728f99dc00de956b277ba4c75ad6dcdd41c151bd

Download Submit
C:\Windows\SysWOW64\baquhikosceyooy.exe

Filesize
512KB

MD5
e845ffecd33b37040645936667a14f95

SHA1
74ed7152b234255e2030d8e3226952cb13bc7b08

SHA256
d58e4cacdc072b4ca0407a1ee5d1b121e51aea6a2a58c715f5ff7a666a9a4c87

SHA512
ddd3275fd16e05ea69c75cb2a8f8251dfc33eb7e48f621a254c1dd26a1c00a0ca7cafb791127fbb5f6180c0b739a85f609be03d789001e600c7a69f979e03b66

Download Submit
C:\Windows\SysWOW64\fgsxeedrzlfje.exe

Filesize
512KB

MD5
4287d1a82f6ecc084b75d9440c27f2b2

SHA1
bafd309977c7c96f263e50db510ef13038acdfbc

SHA256
e4b7b9a992e4564cf6944ce569ffc2f8e0bffdc05859d639884eb5c10101df51

SHA512
86276371e3d1bee83b94eb5627cdb9f56f73e141867be415651adf2cc7c539fd65a712317c3ad9b0da57e54287102a7518253d4be9e96674c24bb13ee9da42e0

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\clylvbxlvn.exe

Filesize
512KB

MD5
bd733d66ae6866ca2e8281be0c692fcb

SHA1
a5490eec7db5526e442783ab94bda0ac493c36ea

SHA256
7a3ca85affcb98cd29b7afcabe4907fe7ffddcf9c1cbaf339c1857758ba8e59f

SHA512
02a16f8fbc8a7d3083459cc0f65eb71458bae9a422000b13f5d9bfb7a4508dbc3058a2278a448cd4655a3f8be3354654c22e045afc9738618b02b1de4c96e1f1

Download Submit
\Windows\SysWOW64\vyqhoofe.exe

Filesize
512KB

MD5
9ad19dd281c82eb03ac92c621fa47cdf

SHA1
4285c7d1c0128f754604fc7c2d6799d2aafe807a

SHA256
4bb232b9f9b8f55ab282342e5f0f8921c726aab9782e62ef5a1caeb300af7506

SHA512
8fdc0958bfe3b09893a157f1a857c34c6998a34238558914110e5c77145041049fd63cf71d97b83d5be0b9b8c2ef812da1220d4cee92c393d1c30f1add9ff939

Download Submit
memory/1700-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1700-50-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/1700-48-0x000000002F4E1000-0x000000002F4E2000-memory.dmp

Filesize
4KB

Download
memory/1700-79-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/2248-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2304-78-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2304-81-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download