a837b91aedefd4a62d7785a29b42ed3bfb6a9b1e18776e740a51905a21c8ce66

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 17:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

08448a94a9c69ba7c6282108561036d4.exe
Size

512KB
MD5

08448a94a9c69ba7c6282108561036d4
SHA1

5abda980f646bd60457869f9aef8ba1e1dde024c
SHA256

a837b91aedefd4a62d7785a29b42ed3bfb6a9b1e18776e740a51905a21c8ce66
SHA512

4addb089a8c7875b7c09bfa6d9b0a153a659d0b0213e6ab69e11c92dbc61accc42b1c2606b0d1de2abac62e82c23643adea8abe664d6f768ffa8fa585a8d4921
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5W

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	jwrduhiphx.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jwrduhiphx.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jwrduhiphx.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jwrduhiphx.exe

Executes dropped EXE 5 IoCs

pid	Process
2908	jwrduhiphx.exe
2016	nmzdpitigbcwqkj.exe
3068	fnqtsgof.exe
2640	wghbavnpozgqv.exe
2660	fnqtsgof.exe

Loads dropped DLL 5 IoCs

pid	Process
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
2908	jwrduhiphx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jwrduhiphx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rjllpqiw = "jwrduhiphx.exe"	nmzdpitigbcwqkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bztagqga = "nmzdpitigbcwqkj.exe"	nmzdpitigbcwqkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wghbavnpozgqv.exe"	nmzdpitigbcwqkj.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	jwrduhiphx.exe
File opened (read-only)	\??\e:	fnqtsgof.exe
File opened (read-only)	\??\q:	jwrduhiphx.exe
File opened (read-only)	\??\x:	jwrduhiphx.exe
File opened (read-only)	\??\z:	jwrduhiphx.exe
File opened (read-only)	\??\l:	fnqtsgof.exe
File opened (read-only)	\??\m:	fnqtsgof.exe
File opened (read-only)	\??\s:	jwrduhiphx.exe
File opened (read-only)	\??\t:	jwrduhiphx.exe
File opened (read-only)	\??\m:	fnqtsgof.exe
File opened (read-only)	\??\e:	jwrduhiphx.exe
File opened (read-only)	\??\e:	fnqtsgof.exe
File opened (read-only)	\??\i:	fnqtsgof.exe
File opened (read-only)	\??\j:	fnqtsgof.exe
File opened (read-only)	\??\s:	fnqtsgof.exe
File opened (read-only)	\??\t:	fnqtsgof.exe
File opened (read-only)	\??\a:	jwrduhiphx.exe
File opened (read-only)	\??\h:	jwrduhiphx.exe
File opened (read-only)	\??\r:	jwrduhiphx.exe
File opened (read-only)	\??\k:	fnqtsgof.exe
File opened (read-only)	\??\t:	fnqtsgof.exe
File opened (read-only)	\??\n:	fnqtsgof.exe
File opened (read-only)	\??\o:	fnqtsgof.exe
File opened (read-only)	\??\u:	fnqtsgof.exe
File opened (read-only)	\??\n:	jwrduhiphx.exe
File opened (read-only)	\??\v:	jwrduhiphx.exe
File opened (read-only)	\??\o:	fnqtsgof.exe
File opened (read-only)	\??\z:	fnqtsgof.exe
File opened (read-only)	\??\p:	fnqtsgof.exe
File opened (read-only)	\??\q:	fnqtsgof.exe
File opened (read-only)	\??\k:	fnqtsgof.exe
File opened (read-only)	\??\w:	fnqtsgof.exe
File opened (read-only)	\??\w:	jwrduhiphx.exe
File opened (read-only)	\??\n:	fnqtsgof.exe
File opened (read-only)	\??\r:	fnqtsgof.exe
File opened (read-only)	\??\o:	jwrduhiphx.exe
File opened (read-only)	\??\u:	jwrduhiphx.exe
File opened (read-only)	\??\i:	fnqtsgof.exe
File opened (read-only)	\??\j:	fnqtsgof.exe
File opened (read-only)	\??\p:	fnqtsgof.exe
File opened (read-only)	\??\x:	fnqtsgof.exe
File opened (read-only)	\??\j:	jwrduhiphx.exe
File opened (read-only)	\??\p:	jwrduhiphx.exe
File opened (read-only)	\??\b:	fnqtsgof.exe
File opened (read-only)	\??\v:	fnqtsgof.exe
File opened (read-only)	\??\g:	fnqtsgof.exe
File opened (read-only)	\??\a:	fnqtsgof.exe
File opened (read-only)	\??\s:	fnqtsgof.exe
File opened (read-only)	\??\a:	fnqtsgof.exe
File opened (read-only)	\??\y:	fnqtsgof.exe
File opened (read-only)	\??\g:	fnqtsgof.exe
File opened (read-only)	\??\i:	jwrduhiphx.exe
File opened (read-only)	\??\l:	jwrduhiphx.exe
File opened (read-only)	\??\m:	jwrduhiphx.exe
File opened (read-only)	\??\y:	jwrduhiphx.exe
File opened (read-only)	\??\w:	fnqtsgof.exe
File opened (read-only)	\??\h:	fnqtsgof.exe
File opened (read-only)	\??\b:	jwrduhiphx.exe
File opened (read-only)	\??\h:	fnqtsgof.exe
File opened (read-only)	\??\v:	fnqtsgof.exe
File opened (read-only)	\??\x:	fnqtsgof.exe
File opened (read-only)	\??\b:	fnqtsgof.exe
File opened (read-only)	\??\l:	fnqtsgof.exe
File opened (read-only)	\??\y:	fnqtsgof.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	jwrduhiphx.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	jwrduhiphx.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3040-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000014abe-5.dat	autoit_exe
behavioral1/files/0x000a000000014825-20.dat	autoit_exe
behavioral1/files/0x0009000000015018-31.dat	autoit_exe
behavioral1/files/0x0009000000015018-28.dat	autoit_exe
behavioral1/files/0x0009000000015018-36.dat	autoit_exe
behavioral1/files/0x000b000000014abe-34.dat	autoit_exe
behavioral1/files/0x0007000000015616-39.dat	autoit_exe
behavioral1/files/0x0009000000015018-42.dat	autoit_exe
behavioral1/files/0x0007000000015616-44.dat	autoit_exe
behavioral1/files/0x0009000000015018-41.dat	autoit_exe
behavioral1/files/0x0007000000015616-33.dat	autoit_exe
behavioral1/files/0x000b000000014abe-26.dat	autoit_exe
behavioral1/files/0x000a000000014825-24.dat	autoit_exe
behavioral1/files/0x000b000000014abe-22.dat	autoit_exe
behavioral1/files/0x000a000000014825-17.dat	autoit_exe
behavioral1/files/0x0006000000015f01-73.dat	autoit_exe
behavioral1/files/0x0006000000015f7a-76.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wghbavnpozgqv.exe	08448a94a9c69ba7c6282108561036d4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	jwrduhiphx.exe
File opened for modification	C:\Windows\SysWOW64\jwrduhiphx.exe	08448a94a9c69ba7c6282108561036d4.exe
File created	C:\Windows\SysWOW64\nmzdpitigbcwqkj.exe	08448a94a9c69ba7c6282108561036d4.exe
File opened for modification	C:\Windows\SysWOW64\nmzdpitigbcwqkj.exe	08448a94a9c69ba7c6282108561036d4.exe
File created	C:\Windows\SysWOW64\fnqtsgof.exe	08448a94a9c69ba7c6282108561036d4.exe
File opened for modification	C:\Windows\SysWOW64\fnqtsgof.exe	08448a94a9c69ba7c6282108561036d4.exe
File created	C:\Windows\SysWOW64\jwrduhiphx.exe	08448a94a9c69ba7c6282108561036d4.exe
File created	C:\Windows\SysWOW64\wghbavnpozgqv.exe	08448a94a9c69ba7c6282108561036d4.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	fnqtsgof.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	fnqtsgof.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fnqtsgof.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fnqtsgof.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	fnqtsgof.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fnqtsgof.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fnqtsgof.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	fnqtsgof.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	08448a94a9c69ba7c6282108561036d4.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	jwrduhiphx.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFFFB482885139140D6217DE2BC94E13D58366740623FD6E9"	08448a94a9c69ba7c6282108561036d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	jwrduhiphx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	jwrduhiphx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D7F9D5283206D4276A7702F2DDE7D8665A8"	08448a94a9c69ba7c6282108561036d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	jwrduhiphx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	jwrduhiphx.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2136	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2016	nmzdpitigbcwqkj.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
3040	08448a94a9c69ba7c6282108561036d4.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2908	jwrduhiphx.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
2016	nmzdpitigbcwqkj.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
3068	fnqtsgof.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2640	wghbavnpozgqv.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe
2660	fnqtsgof.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2136	WINWORD.EXE
2136	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2908	3040	08448a94a9c69ba7c6282108561036d4.exe	25
PID 3040 wrote to memory of 2908	3040	08448a94a9c69ba7c6282108561036d4.exe	25
PID 3040 wrote to memory of 2908	3040	08448a94a9c69ba7c6282108561036d4.exe	25
PID 3040 wrote to memory of 2908	3040	08448a94a9c69ba7c6282108561036d4.exe	25
PID 3040 wrote to memory of 2016	3040	08448a94a9c69ba7c6282108561036d4.exe	24
PID 3040 wrote to memory of 2016	3040	08448a94a9c69ba7c6282108561036d4.exe	24
PID 3040 wrote to memory of 2016	3040	08448a94a9c69ba7c6282108561036d4.exe	24
PID 3040 wrote to memory of 2016	3040	08448a94a9c69ba7c6282108561036d4.exe	24
PID 3040 wrote to memory of 3068	3040	08448a94a9c69ba7c6282108561036d4.exe	23
PID 3040 wrote to memory of 3068	3040	08448a94a9c69ba7c6282108561036d4.exe	23
PID 3040 wrote to memory of 3068	3040	08448a94a9c69ba7c6282108561036d4.exe	23
PID 3040 wrote to memory of 3068	3040	08448a94a9c69ba7c6282108561036d4.exe	23
PID 3040 wrote to memory of 2640	3040	08448a94a9c69ba7c6282108561036d4.exe	22
PID 3040 wrote to memory of 2640	3040	08448a94a9c69ba7c6282108561036d4.exe	22
PID 3040 wrote to memory of 2640	3040	08448a94a9c69ba7c6282108561036d4.exe	22
PID 3040 wrote to memory of 2640	3040	08448a94a9c69ba7c6282108561036d4.exe	22
PID 2908 wrote to memory of 2660	2908	jwrduhiphx.exe	20
PID 2908 wrote to memory of 2660	2908	jwrduhiphx.exe	20
PID 2908 wrote to memory of 2660	2908	jwrduhiphx.exe	20
PID 2908 wrote to memory of 2660	2908	jwrduhiphx.exe	20
PID 3040 wrote to memory of 2136	3040	08448a94a9c69ba7c6282108561036d4.exe	21
PID 3040 wrote to memory of 2136	3040	08448a94a9c69ba7c6282108561036d4.exe	21
PID 3040 wrote to memory of 2136	3040	08448a94a9c69ba7c6282108561036d4.exe	21
PID 3040 wrote to memory of 2136	3040	08448a94a9c69ba7c6282108561036d4.exe	21
PID 2136 wrote to memory of 2156	2136	WINWORD.EXE	36
PID 2136 wrote to memory of 2156	2136	WINWORD.EXE	36
PID 2136 wrote to memory of 2156	2136	WINWORD.EXE	36
PID 2136 wrote to memory of 2156	2136	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\08448a94a9c69ba7c6282108561036d4.exe
"C:\Users\Admin\AppData\Local\Temp\08448a94a9c69ba7c6282108561036d4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2156
- C:\Windows\SysWOW64\wghbavnpozgqv.exe
  wghbavnpozgqv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2640
- C:\Windows\SysWOW64\fnqtsgof.exe
  fnqtsgof.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3068
- C:\Windows\SysWOW64\nmzdpitigbcwqkj.exe
  nmzdpitigbcwqkj.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2016
- C:\Windows\SysWOW64\jwrduhiphx.exe
  jwrduhiphx.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2908

C:\Windows\SysWOW64\fnqtsgof.exe
C:\Windows\system32\fnqtsgof.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
1eba9e4747ee67e786d486e8f20edb62

SHA1
ca908beaef121fd019d7a17ee3e8908f491c5e4e

SHA256
699ee267f43e261e44e1f6ad282fd8240c0e8fca52fff0700850fbcf814260fc

SHA512
ef31d0199ca7c8894cef40ba5febfb15034fb65541622c2069b33a6260cacca5752e448eea1b4a51e5a27ec8b8e249e6fc86b4eebec8b8fcea06ba2c546abe23

Download Submit
C:\Users\Admin\Downloads\UnregisterHide.doc.exe

Filesize
117KB

MD5
7b2e2a1bba7c85791a3fa7fecdf5185c

SHA1
485533553e78a4e33ceaca57cb15115c144fa2c2

SHA256
3fca69783424c8812b05675b5e9ce3db51e6f0a6cbd74206d488a030099634ca

SHA512
f42c56952299fe7946989dfd69e54034a50c868b0ce723e8c7443ade589e57756a17b644625c88f5b4e02e70cd939081bf960a2b493b1f2b2a845dadb1ad0dd9

Download Submit
C:\Windows\SysWOW64\fnqtsgof.exe

Filesize
62KB

MD5
932a6a78d17231ff7c10eed0e88e820f

SHA1
325b4bd95e1e84d4c72403aaf6ae22c79a1e237a

SHA256
49ae100e5213dbcd2ac99c9889b56491d52a601a1055f229b631fe24c078f3d6

SHA512
527fe7ab6da94162d9baeb5e375a648586a29bb23a0261a9d7d9e09aab0b0ab8b8d511ef17d1357deb066ae59bb823fdd7da5345dc3f3c014c873b0db72bbf1d

Download Submit
C:\Windows\SysWOW64\fnqtsgof.exe

Filesize
47KB

MD5
790c270317a8fab5b7d9c664b4b74f02

SHA1
54dc75ddf193465590f395af4c518e9835bd7059

SHA256
db678f5f63bbd8b648b8a7073e7cac94d70bd058ac4bb8f97d81fceff028de76

SHA512
39275c00397d2d13111a7189fb5256d2dfd1a2c4c410f2b047f46c519e55eea34369aed434a51c2bbec4e92ef24c6142e7f0c19a62a28f574f7523026f7361e8

Download Submit
C:\Windows\SysWOW64\fnqtsgof.exe

Filesize
75KB

MD5
c815309f71ca15a5366d1260ddcf19b2

SHA1
5fde056104b17ac5779cab0a96ac27d2e1ce0822

SHA256
070b964e2cc61a659d0769603156d6ea6ebffc83916e286c4e8471b36507b149

SHA512
789f7316913abbe658fbd64c52adb072223c77f87e12b91fc5fc335a1a3f1661213d6c0e917777ce58e159d685c478fd543a6afb927ad78f6e29e746c500c7b9

Download Submit
C:\Windows\SysWOW64\jwrduhiphx.exe

Filesize
35KB

MD5
9d0cc0dcd3bc5a6332d8fef050248fea

SHA1
51777b87cebfdbbb47266e311098b88128c30a54

SHA256
d917808ceca417ec36b7dd2eab5fa20331ddbec87fef3134fd9173b5ffa488ef

SHA512
a064f26623e65612efd77887c5c6da82fab2ed55cc90543a748a0986efe52950f8afab12f8e3d89fbb6d812d955f7f787df40d04866f31ba814975f58e597f86

Download Submit
C:\Windows\SysWOW64\jwrduhiphx.exe

Filesize
60KB

MD5
07a8de17b0048bcb3f9eddbf9ee65f1d

SHA1
12c71ddd21892556f50399e03ae805e4fb40961e

SHA256
bc03fa75bb15896ce7eefc1c1f1c61d5e5bba270d6f7437d4ba56e4eed4e682e

SHA512
b6007cc70fb196fa40dc8b55d1ff302a83caff969f197c9e98c52c867106b806944ebd5a6a07da1aa77535ba1e6dce7dffcca90d01f9e3be42bf0c04c801c0a3

Download Submit
C:\Windows\SysWOW64\nmzdpitigbcwqkj.exe

Filesize
102KB

MD5
73f09ee9af6ce22994c62bc847876947

SHA1
9291364da628a973cb74873b2cd1ad4dc8327006

SHA256
c74efe826d2ab2aab57e451e6c1d62b24199036cd0534b480f65f2d15e1f2fbc

SHA512
4b6e9c4fba2c7037476827a71e68cbf32d4e5cb22754a965c7cbccc2feada907bb991f2ac550587077c33b1a07ce8799bd929fae0de32933af0ea9d073c71a6b

Download Submit
C:\Windows\SysWOW64\nmzdpitigbcwqkj.exe

Filesize
69KB

MD5
1faf71fa0989a8c670993f1923006909

SHA1
c424eeff509a193712bcbf84626c51a652e513ce

SHA256
4aa4c1886cb6400275f7e05866959e729100691ed081e2b0b6006368f7637f31

SHA512
5e7f1ef3a673244960e52d96030219479d3470d4e481cb176beab0c2488263dae908824a25804cb9eddc58cbf59095c4e2657d26480d24a5c97a9e1e5cfff837

Download Submit
C:\Windows\SysWOW64\nmzdpitigbcwqkj.exe

Filesize
78KB

MD5
4a4b2953574588d773c755147155a38a

SHA1
f3fe3b0aea9f4efbae744e69aa7d7b0614fb1a8f

SHA256
2e747b0f055111a5caf0683c0b9f55a2326b079ef066ff9fdaed7a9db0c7e92f

SHA512
8f5a47bfddaa0d1ad90eec98bd37097e53665e357a3c1e945095b36a8f2b7bbc7cc416cb043f5e1d35dd1632259f1320e9f7086ea9eb53dc9bb287516e24db5c

Download Submit
C:\Windows\SysWOW64\wghbavnpozgqv.exe

Filesize
52KB

MD5
ec4c243b6267c3dec9fbb1bbe59f1a80

SHA1
4f90d98091f0b3dd42862d839eebcdc49234f957

SHA256
e0e671b6c25526f68fdec5ea1cb754b030dc06fc50ba9d7393ec0a1ba7a373bd

SHA512
46efbc568dfef97f938c6de6e2dca739ed853bb1fef648ebec1e463987578ffa1afc19909da3e47dcc36b5f8d5fedc8f193a07b3fbd607aab360123282e9a3b6

Download Submit
C:\Windows\SysWOW64\wghbavnpozgqv.exe

Filesize
85KB

MD5
27623bf17711551baa843bbab18a4b07

SHA1
2d6d50bab42c5defdd9bdf3f14fb826853558392

SHA256
6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

SHA512
53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
19KB

MD5
0d9ed1494bb237db14437d7e6f672261

SHA1
6a09b3f4bd43b6961b65e7064591e18b30d02558

SHA256
f687819ae0f296ee6d3cd208549cf8eee45aeb9630dca739e519cfc01180aba8

SHA512
ee74682c97f1d29a1d67352b02722fb57a7102d9e00e355ef2673bd41a87e17faaa45e147b3a61bb583429290424da079d4dc33ef232248f3a60065e418ab8ed

Download Submit
\Windows\SysWOW64\fnqtsgof.exe

Filesize
26KB

MD5
a2d223206f3a1d2cac20435b6c12161a

SHA1
992d66982f833ad7af49f5356da887b972251d20

SHA256
b778d5daf098f98351f8e0740291213d715acbf1ebf91bf63aa732252bc23d75

SHA512
cfa33e9fc3564b19eaadf6c32627834f5ab187bdbcff9f7eb632d7bda6381051f7d10e34a217fb8c42676d298fd10c47d716b055f1e3e00d0e2cb310bcf96155

Download Submit
\Windows\SysWOW64\fnqtsgof.exe

Filesize
67KB

MD5
8153247c05cf40df2170449be02e8593

SHA1
23a3dce5e236ca7e3107bdeacd8074dfd17e0ae0

SHA256
77ca2dcf3e6b562a7b949608c9787c8cdcb4449f48f775de768a782002f0145d

SHA512
1881f2d9962bb9e8980c1aa918a8ab056fee72b388a0c3696cdf84bb72f65453740fd15937dbb0f13d10d5a090ced315a7bc99315e20f3a2a4a93a1f833f7129

Download Submit
\Windows\SysWOW64\jwrduhiphx.exe

Filesize
299KB

MD5
209e2be2aceee011f155f01ca17d29e5

SHA1
ec69e236c12daafc52c946b86910597d29351e05

SHA256
fe4de25da8554d6be62d4dd5bd597107ce7767d190e8f6e4dcb0ef306b81c7da

SHA512
4d4a33822a1d938e892362b69c51ef0dac624786e5597ecac371054473e058f89a9ec8e14f6d858cc48b392f105f6d890d2db999b280dd707fe4dde6be751343

Download Submit
\Windows\SysWOW64\nmzdpitigbcwqkj.exe

Filesize
115KB

MD5
b6c9bc6ca3a257f1bd6769f621bbf30e

SHA1
aef154abf2e386aafa0f06b88b6351d60d1adcd2

SHA256
c1d2189b927a5bf082986386580bb27928d0d63f3d7b4298727d9a1aa8705ec2

SHA512
c6a6040f7b8ce13a0da9e90696df6476aefb9ed333e96ff4980b139c39c22df7072eda5946e15a92e3078cac2ea97b07e277e3a6e2b2a9a26fd7369251c6db2f

Download Submit
\Windows\SysWOW64\wghbavnpozgqv.exe

Filesize
61KB

MD5
eb1e19d8aeb793839516627a610bb5c8

SHA1
6884625f7b47097cfc9e96a2f60c73f51636a311

SHA256
ec72f8519daab24a4a98272e60cddc9015abc3ddd4e936c58670bb7d7807b3c7

SHA512
07dae7ee34e852e6c0a25810dbba861092ddd115404c93439e31c00b7ad95907eb9b168dfd0eb76140ceb024641da666480fdc3bb00161844fc357b59459c23e

Download Submit
memory/2136-47-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2136-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2136-79-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2136-45-0x000000002FC11000-0x000000002FC12000-memory.dmp

Filesize
4KB

Download
memory/2136-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3040-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download