61d28c90ea37bfdea739103565da5216e1e7dcb3a7dba0a9f74835e7ee3d1434

Analysis

max time kernel
50s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 04:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0510d7a1f4cf13b6bafd2c21d293d310.exe
Size

512KB
MD5

0510d7a1f4cf13b6bafd2c21d293d310
SHA1

f11c620dfa56d642a3e1e854928d08e3bc7815e4
SHA256

61d28c90ea37bfdea739103565da5216e1e7dcb3a7dba0a9f74835e7ee3d1434
SHA512

04087fd7f61fd0ba143ad39022f68422141eecca8878fb94b65cab16312ce790c9b35f0282405af0eda51fce5cd866927271e4737fe264cb891d94ea655a8944
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj68:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5z

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bzyeaqrnol.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bzyeaqrnol.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bzyeaqrnol.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bzyeaqrnol.exe

Executes dropped EXE 5 IoCs

pid	Process
2732	bzyeaqrnol.exe
2808	zyekigimqjsuzhm.exe
2744	nzqzlhdg.exe
2604	vpzxdhruvgqpf.exe
2632	nzqzlhdg.exe

Loads dropped DLL 5 IoCs

pid	Process
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
2732	bzyeaqrnol.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bzyeaqrnol.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vpzxdhruvgqpf.exe"	zyekigimqjsuzhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ezyzrhlf = "bzyeaqrnol.exe"	zyekigimqjsuzhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cuqcptkh = "zyekigimqjsuzhm.exe"	zyekigimqjsuzhm.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	nzqzlhdg.exe
File opened (read-only)	\??\o:	nzqzlhdg.exe
File opened (read-only)	\??\m:	nzqzlhdg.exe
File opened (read-only)	\??\e:	bzyeaqrnol.exe
File opened (read-only)	\??\s:	bzyeaqrnol.exe
File opened (read-only)	\??\l:	nzqzlhdg.exe
File opened (read-only)	\??\g:	nzqzlhdg.exe
File opened (read-only)	\??\b:	bzyeaqrnol.exe
File opened (read-only)	\??\n:	bzyeaqrnol.exe
File opened (read-only)	\??\x:	bzyeaqrnol.exe
File opened (read-only)	\??\a:	nzqzlhdg.exe
File opened (read-only)	\??\r:	nzqzlhdg.exe
File opened (read-only)	\??\a:	bzyeaqrnol.exe
File opened (read-only)	\??\k:	bzyeaqrnol.exe
File opened (read-only)	\??\r:	bzyeaqrnol.exe
File opened (read-only)	\??\s:	nzqzlhdg.exe
File opened (read-only)	\??\e:	nzqzlhdg.exe
File opened (read-only)	\??\i:	nzqzlhdg.exe
File opened (read-only)	\??\n:	nzqzlhdg.exe
File opened (read-only)	\??\k:	nzqzlhdg.exe
File opened (read-only)	\??\q:	nzqzlhdg.exe
File opened (read-only)	\??\r:	nzqzlhdg.exe
File opened (read-only)	\??\j:	nzqzlhdg.exe
File opened (read-only)	\??\h:	bzyeaqrnol.exe
File opened (read-only)	\??\i:	bzyeaqrnol.exe
File opened (read-only)	\??\l:	bzyeaqrnol.exe
File opened (read-only)	\??\h:	nzqzlhdg.exe
File opened (read-only)	\??\k:	nzqzlhdg.exe
File opened (read-only)	\??\z:	nzqzlhdg.exe
File opened (read-only)	\??\b:	nzqzlhdg.exe
File opened (read-only)	\??\l:	nzqzlhdg.exe
File opened (read-only)	\??\s:	nzqzlhdg.exe
File opened (read-only)	\??\t:	bzyeaqrnol.exe
File opened (read-only)	\??\e:	nzqzlhdg.exe
File opened (read-only)	\??\v:	nzqzlhdg.exe
File opened (read-only)	\??\a:	nzqzlhdg.exe
File opened (read-only)	\??\h:	nzqzlhdg.exe
File opened (read-only)	\??\p:	nzqzlhdg.exe
File opened (read-only)	\??\j:	bzyeaqrnol.exe
File opened (read-only)	\??\m:	bzyeaqrnol.exe
File opened (read-only)	\??\w:	nzqzlhdg.exe
File opened (read-only)	\??\u:	bzyeaqrnol.exe
File opened (read-only)	\??\u:	nzqzlhdg.exe
File opened (read-only)	\??\x:	nzqzlhdg.exe
File opened (read-only)	\??\p:	bzyeaqrnol.exe
File opened (read-only)	\??\j:	nzqzlhdg.exe
File opened (read-only)	\??\p:	nzqzlhdg.exe
File opened (read-only)	\??\z:	nzqzlhdg.exe
File opened (read-only)	\??\w:	nzqzlhdg.exe
File opened (read-only)	\??\y:	nzqzlhdg.exe
File opened (read-only)	\??\n:	nzqzlhdg.exe
File opened (read-only)	\??\g:	bzyeaqrnol.exe
File opened (read-only)	\??\q:	bzyeaqrnol.exe
File opened (read-only)	\??\z:	bzyeaqrnol.exe
File opened (read-only)	\??\i:	nzqzlhdg.exe
File opened (read-only)	\??\v:	bzyeaqrnol.exe
File opened (read-only)	\??\m:	nzqzlhdg.exe
File opened (read-only)	\??\x:	nzqzlhdg.exe
File opened (read-only)	\??\b:	nzqzlhdg.exe
File opened (read-only)	\??\q:	nzqzlhdg.exe
File opened (read-only)	\??\t:	nzqzlhdg.exe
File opened (read-only)	\??\v:	nzqzlhdg.exe
File opened (read-only)	\??\y:	nzqzlhdg.exe
File opened (read-only)	\??\o:	nzqzlhdg.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	bzyeaqrnol.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	bzyeaqrnol.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1984-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122c3-5.dat	autoit_exe
behavioral1/files/0x000c000000012266-17.dat	autoit_exe
behavioral1/files/0x000d0000000122c3-28.dat	autoit_exe
behavioral1/files/0x00270000000142a1-29.dat	autoit_exe
behavioral1/files/0x0008000000014468-38.dat	autoit_exe
behavioral1/files/0x0008000000014468-41.dat	autoit_exe
behavioral1/files/0x0006000000016cd4-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bzyeaqrnol.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\zyekigimqjsuzhm.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File created	C:\Windows\SysWOW64\nzqzlhdg.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File created	C:\Windows\SysWOW64\vpzxdhruvgqpf.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\bzyeaqrnol.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File created	C:\Windows\SysWOW64\zyekigimqjsuzhm.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\nzqzlhdg.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\vpzxdhruvgqpf.exe	0510d7a1f4cf13b6bafd2c21d293d310.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bzyeaqrnol.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nzqzlhdg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nzqzlhdg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nzqzlhdg.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nzqzlhdg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	nzqzlhdg.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nzqzlhdg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	nzqzlhdg.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nzqzlhdg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	nzqzlhdg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	0510d7a1f4cf13b6bafd2c21d293d310.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	0510d7a1f4cf13b6bafd2c21d293d310.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	bzyeaqrnol.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	bzyeaqrnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	bzyeaqrnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFCFE4F2A8219913CD72F7E97BC93E63459406646623ED7E9"	0510d7a1f4cf13b6bafd2c21d293d310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	bzyeaqrnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	bzyeaqrnol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2808	zyekigimqjsuzhm.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
1984	0510d7a1f4cf13b6bafd2c21d293d310.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2732	bzyeaqrnol.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2808	zyekigimqjsuzhm.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2744	nzqzlhdg.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2604	vpzxdhruvgqpf.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe
2632	nzqzlhdg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	WINWORD.EXE
2640	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2732	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1984 wrote to memory of 2732	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1984 wrote to memory of 2732	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1984 wrote to memory of 2732	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	28
PID 1984 wrote to memory of 2808	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	29
PID 1984 wrote to memory of 2808	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	29
PID 1984 wrote to memory of 2808	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	29
PID 1984 wrote to memory of 2808	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	29
PID 1984 wrote to memory of 2744	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1984 wrote to memory of 2744	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1984 wrote to memory of 2744	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1984 wrote to memory of 2744	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	30
PID 1984 wrote to memory of 2604	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	31
PID 1984 wrote to memory of 2604	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	31
PID 1984 wrote to memory of 2604	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	31
PID 1984 wrote to memory of 2604	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	31
PID 2808 wrote to memory of 2720	2808	zyekigimqjsuzhm.exe	33
PID 2808 wrote to memory of 2720	2808	zyekigimqjsuzhm.exe	33
PID 2808 wrote to memory of 2720	2808	zyekigimqjsuzhm.exe	33
PID 2808 wrote to memory of 2720	2808	zyekigimqjsuzhm.exe	33
PID 2732 wrote to memory of 2632	2732	bzyeaqrnol.exe	34
PID 2732 wrote to memory of 2632	2732	bzyeaqrnol.exe	34
PID 2732 wrote to memory of 2632	2732	bzyeaqrnol.exe	34
PID 2732 wrote to memory of 2632	2732	bzyeaqrnol.exe	34
PID 1984 wrote to memory of 2640	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	35
PID 1984 wrote to memory of 2640	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	35
PID 1984 wrote to memory of 2640	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	35
PID 1984 wrote to memory of 2640	1984	0510d7a1f4cf13b6bafd2c21d293d310.exe	35
PID 2640 wrote to memory of 472	2640	WINWORD.EXE	39
PID 2640 wrote to memory of 472	2640	WINWORD.EXE	39
PID 2640 wrote to memory of 472	2640	WINWORD.EXE	39
PID 2640 wrote to memory of 472	2640	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\0510d7a1f4cf13b6bafd2c21d293d310.exe
"C:\Users\Admin\AppData\Local\Temp\0510d7a1f4cf13b6bafd2c21d293d310.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\bzyeaqrnol.exe
  bzyeaqrnol.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\nzqzlhdg.exe
    C:\Windows\system32\nzqzlhdg.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2632
- C:\Windows\SysWOW64\zyekigimqjsuzhm.exe
  zyekigimqjsuzhm.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c vpzxdhruvgqpf.exe
    3⤵
    PID:2720
- C:\Windows\SysWOW64\nzqzlhdg.exe
  nzqzlhdg.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2744
- C:\Windows\SysWOW64\vpzxdhruvgqpf.exe
  vpzxdhruvgqpf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2604
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
79f9bf8e3c7d6f7409143e0b53c7ce97

SHA1
776341acfd33b5c6ea91590b02114c5fa09f4cb3

SHA256
48d54f17abfed0f872673778b009f48a3dd2e4db18311fbe0a1d15990c96ee3d

SHA512
df21614dca48c2c96d6abb58ec541877c4eb1c0f31bab80835505314f793976a0d8abcfe967ea65f219d24fe43690fdf1bd56b62edbef55d18c690bcb96558b0

Download Submit
C:\Windows\SysWOW64\vpzxdhruvgqpf.exe

Filesize
3KB

MD5
6a8c4b146ecf4cdeb261984ff257a701

SHA1
0bf68d438aa1143541ce5e776c8baff369c5452f

SHA256
8ae4fd77d89cae193fc05431cefa0fdc10e513753b258f608beb9598cd302240

SHA512
077eea4f0dddd6d441a0b2169756ca6c6798d2acf856e4f56655cccdc39ebdabccf7d84f8fce4860c68d4c62859991f5ba570ac81ae4c47efa084c5f65c62682

Download Submit
C:\Windows\SysWOW64\vpzxdhruvgqpf.exe

Filesize
512KB

MD5
e08f82e4c409b872d3f915874cd313ca

SHA1
142f727e7eff51acc158d01ef8b624249a0ddc72

SHA256
98e2b7076518f31ffb5f06a27729376f29a1a972737232d752bde75f2ebb1f52

SHA512
15a8376c81cdcf18b07eea5d0be66e8d35e0b67b52221a371424ef85e0b75c40fdca2c915a5713743474cb2d61965ebbcc4d8e211413ddac84230241ee339255

Download Submit
C:\Windows\SysWOW64\zyekigimqjsuzhm.exe

Filesize
413KB

MD5
8ac5a552ba8054a0f4ed411cf3bfea49

SHA1
9d02c584e846c24a3158045deae230672b906604

SHA256
39558be85f74eba3639b847c652ff8505e2cfdbce81b44c06ce984d1248f2a46

SHA512
4c345170f6253ffe1c3b4aebb64dbaba7b2389069955aee5efda1cc5d00363b4342d3c4d98d64e5874e06a7e706a2d6093aeeccac3e72b8f0332655ca58cd623

Download Submit
C:\Windows\SysWOW64\zyekigimqjsuzhm.exe

Filesize
512KB

MD5
b6df39fa0e283789dffbed7ed36b3de7

SHA1
8070af8970c7e5f6e14c7f5c384a0a71ee5a22d5

SHA256
40558a92f58911718e65019c7fd7d9cb6bffdd5845719029213ca12bf3775e02

SHA512
ec6d843cc0b58fb8a81b0f2c8897acfe7b6207031947a30ef4af44a4445163fb6d8b46548ff634a89f221aa8df7580288ba2796abf7cc5f0b48320bd1f3637d6

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bzyeaqrnol.exe

Filesize
512KB

MD5
0820f61a53b2788fdaeb26f6c4f04f6b

SHA1
d231178ebe1f5d1e89014835d8367240e85d2eb1

SHA256
28a97b51df22ceb66fcb64901ffef4048df500dd08941c8b707dc920fe3bd41c

SHA512
2cd6e65b022eb7a4b12c3927fdc45da316861c15ae1c9582e2fb7464f9d55e28d5aa4431cd77a1acd904e4a8349716af63c22523b22366c857b77731aa265dab

Download Submit
\Windows\SysWOW64\nzqzlhdg.exe

Filesize
512KB

MD5
eebda0898f27cde351eccea9d884ad7d

SHA1
2691384e6e656e162580d0a54be1d09ee22abf91

SHA256
1760af3def1bf24bff216c08973ae9ac54f37f2feeeb5f7c5faf62161a92bbeb

SHA512
8da0e425d8ce10f476b87e949543fd3bd2efb370ce75a6d690adb8e8e43bc99a642b065e13cc25913bad88608e9628eea9b5471764e254903dd446d1cfe83dfa

Download Submit
memory/1984-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2640-45-0x000000002F271000-0x000000002F272000-memory.dmp

Filesize
4KB

Download
memory/2640-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-47-0x000000007136D000-0x0000000071378000-memory.dmp

Filesize
44KB

Download
memory/2640-61-0x000000007136D000-0x0000000071378000-memory.dmp

Filesize
44KB

Download
memory/2640-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-102-0x000000007136D000-0x0000000071378000-memory.dmp

Filesize
44KB

Download