0feaab70d04347b17ec2c5743826777c10a63ba589630456d0bfa2ea836a043a

Analysis

max time kernel
182s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ceaf65857d7abd3d0b19c8ed58b4d45.exe
Size

512KB
MD5

0ceaf65857d7abd3d0b19c8ed58b4d45
SHA1

f0e101c0dc5604fe0ac289894957ff53b753ff13
SHA256

0feaab70d04347b17ec2c5743826777c10a63ba589630456d0bfa2ea836a043a
SHA512

8f060a53b6140fdc9982cd8f8b4042554e01274118bf5a300bd1bff36c1049d630295b9d63c8931458ae84c3be376fffd3cbf46bb451c04114218987cd73ee54
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6J:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5w

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	xwhpxhtajs.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xwhpxhtajs.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xwhpxhtajs.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xwhpxhtajs.exe

Executes dropped EXE 5 IoCs

pid	Process
2608	xwhpxhtajs.exe
2668	dyxwvsahuplytug.exe
2380	wwpsodso.exe
1124	rigojnpmlwixh.exe
1628	wwpsodso.exe

Loads dropped DLL 5 IoCs

pid	Process
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2608	xwhpxhtajs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xwhpxhtajs.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mzgpuqlc = "dyxwvsahuplytug.exe"	dyxwvsahuplytug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rigojnpmlwixh.exe"	dyxwvsahuplytug.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yxrfpxbn = "xwhpxhtajs.exe"	dyxwvsahuplytug.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	wwpsodso.exe
File opened (read-only)	\??\a:	xwhpxhtajs.exe
File opened (read-only)	\??\g:	xwhpxhtajs.exe
File opened (read-only)	\??\h:	xwhpxhtajs.exe
File opened (read-only)	\??\n:	wwpsodso.exe
File opened (read-only)	\??\b:	wwpsodso.exe
File opened (read-only)	\??\a:	wwpsodso.exe
File opened (read-only)	\??\h:	wwpsodso.exe
File opened (read-only)	\??\j:	wwpsodso.exe
File opened (read-only)	\??\w:	xwhpxhtajs.exe
File opened (read-only)	\??\k:	wwpsodso.exe
File opened (read-only)	\??\l:	wwpsodso.exe
File opened (read-only)	\??\r:	wwpsodso.exe
File opened (read-only)	\??\x:	wwpsodso.exe
File opened (read-only)	\??\b:	wwpsodso.exe
File opened (read-only)	\??\i:	wwpsodso.exe
File opened (read-only)	\??\w:	wwpsodso.exe
File opened (read-only)	\??\j:	wwpsodso.exe
File opened (read-only)	\??\l:	wwpsodso.exe
File opened (read-only)	\??\x:	wwpsodso.exe
File opened (read-only)	\??\x:	xwhpxhtajs.exe
File opened (read-only)	\??\n:	xwhpxhtajs.exe
File opened (read-only)	\??\r:	xwhpxhtajs.exe
File opened (read-only)	\??\p:	wwpsodso.exe
File opened (read-only)	\??\n:	wwpsodso.exe
File opened (read-only)	\??\q:	wwpsodso.exe
File opened (read-only)	\??\z:	wwpsodso.exe
File opened (read-only)	\??\i:	xwhpxhtajs.exe
File opened (read-only)	\??\j:	xwhpxhtajs.exe
File opened (read-only)	\??\v:	wwpsodso.exe
File opened (read-only)	\??\r:	wwpsodso.exe
File opened (read-only)	\??\u:	wwpsodso.exe
File opened (read-only)	\??\s:	wwpsodso.exe
File opened (read-only)	\??\g:	wwpsodso.exe
File opened (read-only)	\??\i:	wwpsodso.exe
File opened (read-only)	\??\m:	xwhpxhtajs.exe
File opened (read-only)	\??\o:	xwhpxhtajs.exe
File opened (read-only)	\??\v:	xwhpxhtajs.exe
File opened (read-only)	\??\q:	wwpsodso.exe
File opened (read-only)	\??\s:	wwpsodso.exe
File opened (read-only)	\??\t:	wwpsodso.exe
File opened (read-only)	\??\y:	wwpsodso.exe
File opened (read-only)	\??\e:	wwpsodso.exe
File opened (read-only)	\??\g:	wwpsodso.exe
File opened (read-only)	\??\m:	wwpsodso.exe
File opened (read-only)	\??\a:	wwpsodso.exe
File opened (read-only)	\??\v:	wwpsodso.exe
File opened (read-only)	\??\u:	xwhpxhtajs.exe
File opened (read-only)	\??\z:	xwhpxhtajs.exe
File opened (read-only)	\??\q:	xwhpxhtajs.exe
File opened (read-only)	\??\h:	wwpsodso.exe
File opened (read-only)	\??\k:	wwpsodso.exe
File opened (read-only)	\??\p:	wwpsodso.exe
File opened (read-only)	\??\w:	wwpsodso.exe
File opened (read-only)	\??\b:	xwhpxhtajs.exe
File opened (read-only)	\??\l:	xwhpxhtajs.exe
File opened (read-only)	\??\e:	wwpsodso.exe
File opened (read-only)	\??\p:	xwhpxhtajs.exe
File opened (read-only)	\??\t:	xwhpxhtajs.exe
File opened (read-only)	\??\y:	wwpsodso.exe
File opened (read-only)	\??\z:	wwpsodso.exe
File opened (read-only)	\??\o:	wwpsodso.exe
File opened (read-only)	\??\u:	wwpsodso.exe
File opened (read-only)	\??\m:	wwpsodso.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	xwhpxhtajs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	xwhpxhtajs.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2752-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000012287-5.dat	autoit_exe
behavioral1/files/0x001000000000b1f5-17.dat	autoit_exe
behavioral1/files/0x003600000001449c-29.dat	autoit_exe
behavioral1/files/0x000700000001482e-34.dat	autoit_exe
behavioral1/files/0x003600000001449c-43.dat	autoit_exe
behavioral1/files/0x0003000000003d1e-92.dat	autoit_exe
behavioral1/files/0x0006000000015e38-100.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	xwhpxhtajs.exe
File opened for modification	C:\Windows\SysWOW64\xwhpxhtajs.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File created	C:\Windows\SysWOW64\dyxwvsahuplytug.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File opened for modification	C:\Windows\SysWOW64\dyxwvsahuplytug.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File created	C:\Windows\SysWOW64\wwpsodso.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File opened for modification	C:\Windows\SysWOW64\wwpsodso.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File created	C:\Windows\SysWOW64\rigojnpmlwixh.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File created	C:\Windows\SysWOW64\xwhpxhtajs.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File opened for modification	C:\Windows\SysWOW64\rigojnpmlwixh.exe	0ceaf65857d7abd3d0b19c8ed58b4d45.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwpsodso.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wwpsodso.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wwpsodso.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwpsodso.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwpsodso.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwpsodso.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwpsodso.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwpsodso.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	xwhpxhtajs.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	xwhpxhtajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	xwhpxhtajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	xwhpxhtajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC8F9BDFE65F2E7840F3A42869A3999B38A038D4364024BE2CA459E08D4"	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC77B15E5DBC2B9C17FE5ED9234CA"	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	xwhpxhtajs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	xwhpxhtajs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D7F9C2182246D3476A777222CDF7D8465DA"	0ceaf65857d7abd3d0b19c8ed58b4d45.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
828	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
2668	dyxwvsahuplytug.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1628	wwpsodso.exe
1628	wwpsodso.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1628	wwpsodso.exe
1628	wwpsodso.exe
1628	wwpsodso.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2608	xwhpxhtajs.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2668	dyxwvsahuplytug.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
2380	wwpsodso.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1124	rigojnpmlwixh.exe
1628	wwpsodso.exe
1628	wwpsodso.exe
1628	wwpsodso.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
828	WINWORD.EXE
828	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2608	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	29
PID 2752 wrote to memory of 2608	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	29
PID 2752 wrote to memory of 2608	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	29
PID 2752 wrote to memory of 2608	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	29
PID 2752 wrote to memory of 2668	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	30
PID 2752 wrote to memory of 2668	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	30
PID 2752 wrote to memory of 2668	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	30
PID 2752 wrote to memory of 2668	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	30
PID 2752 wrote to memory of 2380	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	31
PID 2752 wrote to memory of 2380	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	31
PID 2752 wrote to memory of 2380	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	31
PID 2752 wrote to memory of 2380	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	31
PID 2752 wrote to memory of 1124	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	32
PID 2752 wrote to memory of 1124	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	32
PID 2752 wrote to memory of 1124	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	32
PID 2752 wrote to memory of 1124	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	32
PID 2752 wrote to memory of 828	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	33
PID 2752 wrote to memory of 828	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	33
PID 2752 wrote to memory of 828	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	33
PID 2752 wrote to memory of 828	2752	0ceaf65857d7abd3d0b19c8ed58b4d45.exe	33
PID 2608 wrote to memory of 1628	2608	xwhpxhtajs.exe	34
PID 2608 wrote to memory of 1628	2608	xwhpxhtajs.exe	34
PID 2608 wrote to memory of 1628	2608	xwhpxhtajs.exe	34
PID 2608 wrote to memory of 1628	2608	xwhpxhtajs.exe	34
PID 828 wrote to memory of 796	828	WINWORD.EXE	38
PID 828 wrote to memory of 796	828	WINWORD.EXE	38
PID 828 wrote to memory of 796	828	WINWORD.EXE	38
PID 828 wrote to memory of 796	828	WINWORD.EXE	38

C:\Users\Admin\AppData\Local\Temp\0ceaf65857d7abd3d0b19c8ed58b4d45.exe
"C:\Users\Admin\AppData\Local\Temp\0ceaf65857d7abd3d0b19c8ed58b4d45.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\xwhpxhtajs.exe
  xwhpxhtajs.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\wwpsodso.exe
    C:\Windows\system32\wwpsodso.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1628
- C:\Windows\SysWOW64\dyxwvsahuplytug.exe
  dyxwvsahuplytug.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668
- C:\Windows\SysWOW64\wwpsodso.exe
  wwpsodso.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2380
- C:\Windows\SysWOW64\rigojnpmlwixh.exe
  rigojnpmlwixh.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1124
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
186c2a17f6c96dbe795ee87dd6169075

SHA1
b4b91b66600c1709c78a9f659a7195c00d6bda9e

SHA256
bc765027746c49060e31a945d32a80bec06b0bfd50be15e48d2f3322e563b652

SHA512
778190d1870b1bc2546cddcb9523a3dd7a9890bc3b1e9fda65cb9b3a1cc2a250b86c163df3dc353a7bf07024f66c8d40f6294b668bd7103de0e4e2c248d38ebf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
7f33245f19dbf75a0b166ec88861096e

SHA1
48e53c04824a0cb5198c534d2eceef2945ee7a88

SHA256
2f40b9de8e018b45f1a34175b658025cbee48cf659748103382e7842a9fe480b

SHA512
2e6bcc5002ea9e0f72f82140aa2c6d865cda3fea6967eb132d1347304b3cf06869cdd9a8c35e14affaf422eaaf367527d751c1458f42ff47d8fa767f7536051a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
cbd876c7329fd2869eea08af6cefd0e7

SHA1
3fdbb583a8e475b1c69c4a2e34da2a448c05fbd3

SHA256
694e3ac01e0d32be5c644b0acc181044f38fbe7993b35e9160cb28b183b91e6c

SHA512
29282ab61ee45badec84f17edc02915409155cf9035d5fb186794bd1f255e3e942a2a3b2d3fb07163b59c90bd93041f5d7c17f75ea57c2c306cfa5e32d4ec25c

Download Submit
C:\Windows\SysWOW64\dyxwvsahuplytug.exe

Filesize
512KB

MD5
8142c29c6bdb667a05f65a8336095029

SHA1
1747ba8093e724e7a4e7c9f80029a1fc9db5be42

SHA256
2a1cb059968d8db8c8eebec690db0d8eccda4bf48aa686a630dc7f397c920076

SHA512
45290ff07059ee77b0643d0c29c83c64371600b0a52cc0e19176113576b04d21658d2f4ff3f4500790a7dca49fa9ab86454401f5112db2f9f8ffc083e700a5b0

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\rigojnpmlwixh.exe

Filesize
512KB

MD5
14934e3edbb96dced0ce24ad1226b331

SHA1
ef4f575310b615c0b06e37c5143df808ef409ce6

SHA256
83ebda44e499f977aa4ee7a2f38ffcf4d3a3f5664aa43cabc95388f156ef99b8

SHA512
e79034d7b98e6a91fb118b8d2546faceb89e6715dda887d84c7fb03e1db68d4b5cd399b3e14810a46d53cae121ddbfcc20a8fae5feaa61b54d40ff3b7f12348c

Download Submit
\Windows\SysWOW64\wwpsodso.exe

Filesize
512KB

MD5
0cd3a7ab2f4cce41677e1260ddfc62c5

SHA1
c5a202ad90ee43654762decfd87ff6cae5cca4bf

SHA256
48e3c709e12773d7f7b40f00fff64da26fc3a97fc2d0988145298a8ce57b9ebb

SHA512
50ad31f27954c5b0cbf33cba81d0a87d875def430fd4dbe9420afb42241caf90b0d269964ac4a8d97243a09643299bf38ade2149cbc5ca8b9eb85ef92f36624b

Download Submit
\Windows\SysWOW64\wwpsodso.exe

Filesize
470KB

MD5
dba30b63086280656ef29cffce8f2b1f

SHA1
3e1f69f1a3c4c38b9f749d9d57fd8db09b52ba3a

SHA256
b4954988d858e7051dfaced251d879b388c5ebf463282765345d6fe2b388bb94

SHA512
e8396061891140265599cec13615ec1f325449aabb4c886ee5d466ce670185ec37a71dbccba6612744fe86d4ab527eed6f882be9a665167342454c8d76be42b0

Download Submit
\Windows\SysWOW64\xwhpxhtajs.exe

Filesize
512KB

MD5
5b9404222b3261cf82038a3a3e9f7172

SHA1
a0a95753dc877cd823a56f313adbdc139a4bdfef

SHA256
3ae83bda144b05987a700df92e0a23ab90a653d4145d77560c9552b8515ef2a0

SHA512
882ac17bbfe866d6666d83a884baa0a6c26f877daf998d8f182d3709d3567cf2463408748ac9b5745c7098c39882083d25b9e91fc2494a88c65f7aa0b2e2c982

Download Submit
memory/828-47-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/828-62-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/828-87-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/828-88-0x000000007186D000-0x0000000071878000-memory.dmp

Filesize
44KB

Download
memory/828-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/828-42-0x000000002F9B1000-0x000000002F9B2000-memory.dmp

Filesize
4KB

Download
memory/2752-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download