0f2111fb67cfd68f6993e7132253a9e6544402cc8cb7bf330f5144d7cdf4e9c7

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2985538024ccd7fbf883fc62e5f43d6a.exe
Size

512KB
MD5

2985538024ccd7fbf883fc62e5f43d6a
SHA1

dedc59f763fa208e197a649348d5e8f452948be6
SHA256

0f2111fb67cfd68f6993e7132253a9e6544402cc8cb7bf330f5144d7cdf4e9c7
SHA512

ae76771018e130a7275ffe7ebda9913a2ae2b86e899d44605648b4937c12bfbd844b1a29fc713a840396f7abdcb4ca757c54b7950acddb7e8e0af36553beee65
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6G:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5x

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	bweijlyeua.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	bweijlyeua.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bweijlyeua.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	bweijlyeua.exe

Executes dropped EXE 5 IoCs

pid	Process
2664	bweijlyeua.exe
2824	yjmypyhoogwawqq.exe
2876	ipqkzhks.exe
2588	bqdlrlpqnlxee.exe
2580	ipqkzhks.exe

Loads dropped DLL 5 IoCs

pid	Process
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2664	bweijlyeua.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	bweijlyeua.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bqdlrlpqnlxee.exe"	yjmypyhoogwawqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ekuuwahv = "bweijlyeua.exe"	yjmypyhoogwawqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msqwxqiv = "yjmypyhoogwawqq.exe"	yjmypyhoogwawqq.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\u:	ipqkzhks.exe
File opened (read-only)	\??\s:	ipqkzhks.exe
File opened (read-only)	\??\t:	ipqkzhks.exe
File opened (read-only)	\??\j:	bweijlyeua.exe
File opened (read-only)	\??\q:	bweijlyeua.exe
File opened (read-only)	\??\t:	ipqkzhks.exe
File opened (read-only)	\??\x:	ipqkzhks.exe
File opened (read-only)	\??\g:	bweijlyeua.exe
File opened (read-only)	\??\x:	bweijlyeua.exe
File opened (read-only)	\??\e:	ipqkzhks.exe
File opened (read-only)	\??\n:	ipqkzhks.exe
File opened (read-only)	\??\a:	bweijlyeua.exe
File opened (read-only)	\??\i:	bweijlyeua.exe
File opened (read-only)	\??\z:	ipqkzhks.exe
File opened (read-only)	\??\a:	ipqkzhks.exe
File opened (read-only)	\??\t:	bweijlyeua.exe
File opened (read-only)	\??\u:	ipqkzhks.exe
File opened (read-only)	\??\b:	ipqkzhks.exe
File opened (read-only)	\??\g:	ipqkzhks.exe
File opened (read-only)	\??\k:	ipqkzhks.exe
File opened (read-only)	\??\z:	ipqkzhks.exe
File opened (read-only)	\??\l:	bweijlyeua.exe
File opened (read-only)	\??\e:	ipqkzhks.exe
File opened (read-only)	\??\q:	ipqkzhks.exe
File opened (read-only)	\??\p:	bweijlyeua.exe
File opened (read-only)	\??\v:	bweijlyeua.exe
File opened (read-only)	\??\q:	ipqkzhks.exe
File opened (read-only)	\??\o:	ipqkzhks.exe
File opened (read-only)	\??\j:	ipqkzhks.exe
File opened (read-only)	\??\n:	ipqkzhks.exe
File opened (read-only)	\??\p:	ipqkzhks.exe
File opened (read-only)	\??\k:	bweijlyeua.exe
File opened (read-only)	\??\l:	ipqkzhks.exe
File opened (read-only)	\??\y:	ipqkzhks.exe
File opened (read-only)	\??\m:	bweijlyeua.exe
File opened (read-only)	\??\n:	bweijlyeua.exe
File opened (read-only)	\??\z:	bweijlyeua.exe
File opened (read-only)	\??\p:	ipqkzhks.exe
File opened (read-only)	\??\w:	ipqkzhks.exe
File opened (read-only)	\??\s:	bweijlyeua.exe
File opened (read-only)	\??\y:	bweijlyeua.exe
File opened (read-only)	\??\h:	ipqkzhks.exe
File opened (read-only)	\??\h:	bweijlyeua.exe
File opened (read-only)	\??\r:	bweijlyeua.exe
File opened (read-only)	\??\g:	ipqkzhks.exe
File opened (read-only)	\??\v:	ipqkzhks.exe
File opened (read-only)	\??\o:	ipqkzhks.exe
File opened (read-only)	\??\w:	bweijlyeua.exe
File opened (read-only)	\??\a:	ipqkzhks.exe
File opened (read-only)	\??\h:	ipqkzhks.exe
File opened (read-only)	\??\m:	ipqkzhks.exe
File opened (read-only)	\??\o:	bweijlyeua.exe
File opened (read-only)	\??\u:	bweijlyeua.exe
File opened (read-only)	\??\b:	ipqkzhks.exe
File opened (read-only)	\??\i:	ipqkzhks.exe
File opened (read-only)	\??\s:	ipqkzhks.exe
File opened (read-only)	\??\m:	ipqkzhks.exe
File opened (read-only)	\??\y:	ipqkzhks.exe
File opened (read-only)	\??\i:	ipqkzhks.exe
File opened (read-only)	\??\v:	ipqkzhks.exe
File opened (read-only)	\??\w:	ipqkzhks.exe
File opened (read-only)	\??\e:	bweijlyeua.exe
File opened (read-only)	\??\k:	ipqkzhks.exe
File opened (read-only)	\??\x:	ipqkzhks.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	bweijlyeua.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	bweijlyeua.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000012281-5.dat	autoit_exe
behavioral1/files/0x000a000000012263-17.dat	autoit_exe
behavioral1/files/0x000a000000012263-20.dat	autoit_exe
behavioral1/files/0x000a000000012263-22.dat	autoit_exe
behavioral1/files/0x0008000000012281-23.dat	autoit_exe
behavioral1/files/0x002b000000015c1c-28.dat	autoit_exe
behavioral1/files/0x0008000000012281-26.dat	autoit_exe
behavioral1/files/0x002b000000015c1c-31.dat	autoit_exe
behavioral1/files/0x0007000000015c64-33.dat	autoit_exe
behavioral1/files/0x0007000000015c64-37.dat	autoit_exe
behavioral1/files/0x002b000000015c1c-39.dat	autoit_exe
behavioral1/files/0x0008000000012281-38.dat	autoit_exe
behavioral1/files/0x0007000000015c64-41.dat	autoit_exe
behavioral1/files/0x002b000000015c1c-43.dat	autoit_exe
behavioral1/files/0x002b000000015c1c-42.dat	autoit_exe
behavioral1/files/0x0006000000016d1d-76.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bqdlrlpqnlxee.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	bweijlyeua.exe
File created	C:\Windows\SysWOW64\bweijlyeua.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File opened for modification	C:\Windows\SysWOW64\bweijlyeua.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File created	C:\Windows\SysWOW64\yjmypyhoogwawqq.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File created	C:\Windows\SysWOW64\bqdlrlpqnlxee.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File opened for modification	C:\Windows\SysWOW64\yjmypyhoogwawqq.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File created	C:\Windows\SysWOW64\ipqkzhks.exe	2985538024ccd7fbf883fc62e5f43d6a.exe
File opened for modification	C:\Windows\SysWOW64\ipqkzhks.exe	2985538024ccd7fbf883fc62e5f43d6a.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ipqkzhks.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ipqkzhks.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ipqkzhks.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ipqkzhks.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ipqkzhks.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ipqkzhks.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ipqkzhks.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	2985538024ccd7fbf883fc62e5f43d6a.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	bweijlyeua.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412D7F9C2C83566A3676DC772F2CDB7CF464D8"	2985538024ccd7fbf883fc62e5f43d6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FCF9485F851D9041D72B7E95BC97E13C594B664F6344D791"	2985538024ccd7fbf883fc62e5f43d6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	bweijlyeua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F46BC5FF1822DDD10ED0D68A0E9017"	2985538024ccd7fbf883fc62e5f43d6a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2112	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2824	yjmypyhoogwawqq.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2164	2985538024ccd7fbf883fc62e5f43d6a.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2664	bweijlyeua.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2824	yjmypyhoogwawqq.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2876	ipqkzhks.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2588	bqdlrlpqnlxee.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe
2580	ipqkzhks.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2112	WINWORD.EXE
2112	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2664	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	28
PID 2164 wrote to memory of 2664	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	28
PID 2164 wrote to memory of 2664	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	28
PID 2164 wrote to memory of 2664	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	28
PID 2164 wrote to memory of 2824	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	29
PID 2164 wrote to memory of 2824	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	29
PID 2164 wrote to memory of 2824	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	29
PID 2164 wrote to memory of 2824	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	29
PID 2164 wrote to memory of 2876	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	30
PID 2164 wrote to memory of 2876	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	30
PID 2164 wrote to memory of 2876	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	30
PID 2164 wrote to memory of 2876	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	30
PID 2164 wrote to memory of 2588	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	31
PID 2164 wrote to memory of 2588	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	31
PID 2164 wrote to memory of 2588	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	31
PID 2164 wrote to memory of 2588	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	31
PID 2664 wrote to memory of 2580	2664	bweijlyeua.exe	32
PID 2664 wrote to memory of 2580	2664	bweijlyeua.exe	32
PID 2664 wrote to memory of 2580	2664	bweijlyeua.exe	32
PID 2664 wrote to memory of 2580	2664	bweijlyeua.exe	32
PID 2164 wrote to memory of 2112	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	33
PID 2164 wrote to memory of 2112	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	33
PID 2164 wrote to memory of 2112	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	33
PID 2164 wrote to memory of 2112	2164	2985538024ccd7fbf883fc62e5f43d6a.exe	33
PID 2112 wrote to memory of 1536	2112	WINWORD.EXE	39
PID 2112 wrote to memory of 1536	2112	WINWORD.EXE	39
PID 2112 wrote to memory of 1536	2112	WINWORD.EXE	39
PID 2112 wrote to memory of 1536	2112	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe
"C:\Users\Admin\AppData\Local\Temp\2985538024ccd7fbf883fc62e5f43d6a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\SysWOW64\bweijlyeua.exe
  bweijlyeua.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\ipqkzhks.exe
    C:\Windows\system32\ipqkzhks.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2580
- C:\Windows\SysWOW64\yjmypyhoogwawqq.exe
  yjmypyhoogwawqq.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2824
- C:\Windows\SysWOW64\ipqkzhks.exe
  ipqkzhks.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2876
- C:\Windows\SysWOW64\bqdlrlpqnlxee.exe
  bqdlrlpqnlxee.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2588
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
ee0b72dca77c129ae405d828c11fdd6e

SHA1
30a30e917a8d01ec6be06cafaabf67d99cdd4bee

SHA256
ab61590db2a6cc424de27d58f15f86745fd2405b0fd98b5989f8ed24e4351e05

SHA512
0538148ff9bd2c58748af2bc473432ed3a6cf64c678b5bb4c890d36c64f1c7912732112299e75061a308f652ff86163e02a13ccdfcb02edb71ba915f7d92ad97

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
4b89b6580d9fbf9c500b96ceb4a25fff

SHA1
2e8129c6a31edfdcc21e3731204373de9c3c2c38

SHA256
0c7e68d6a57d2f3c180a9eeda4a295a9ecb82b221e7b5a1981caeb83a0b799c1

SHA512
128ede9dd19d571757b63b27eb2217d544d932b4c9cfb2a707658faf3762416af1fd74a5717ddd1cce9e4c5c4f696d2dd9e786c962016c9aa37f7eb7c5bffdec

Download Submit
C:\Windows\SysWOW64\bqdlrlpqnlxee.exe

Filesize
211KB

MD5
4711466e68667e948a5ca4f427637383

SHA1
7cf5ff6df835b6c4d3184c2fb369ca70f4ad6dfd

SHA256
ce74932b7852df37b65da9faa2507eb00fe34a1be26d8ff1f33cbc744e52ac6b

SHA512
ce426f5f09f3e7e3215a96529c3fef6361f6e4e63d08dbb8a880b49916b9e0e220a573a18e547b9ab7d117058d3a406e513c5e005ace4670de1e64ed90f172b8

Download Submit
C:\Windows\SysWOW64\bqdlrlpqnlxee.exe

Filesize
164KB

MD5
568be06d0548ad0dccff411caab6c305

SHA1
9ee04fb24e1595f7fae65dcfa9dd8afe7b9e3d58

SHA256
39375da2a892f14f30f487153411b205b4ab17a85d7169d5c0a49e334df0d030

SHA512
46541d81a819611aafeae220cd7c47e98a7f01239913873ae68963ef70324f28b6929ee45cbbcb2d536e6eb322e0406a251dd40dcdc51ef0816d444e3e9030e1

Download Submit
C:\Windows\SysWOW64\bweijlyeua.exe

Filesize
464KB

MD5
3d6bde1997f023ec8bc71396e642577d

SHA1
c91e35ffe159916e3c81decdb7d221943b94b583

SHA256
705e9083d0ef4de2e0d62333314f65caa26a396cbc49b571b78d112536649796

SHA512
af55692e4452f7de5d4583842d8d2d67dce187d65b275506d8cb8dd25f06aec980a0cd6d58155932b49fd28b572f0cc25f94fd0bf07a79c74b397c824b741e73

Download Submit
C:\Windows\SysWOW64\bweijlyeua.exe

Filesize
308KB

MD5
35db84cc672fe1a510423da8085adc5c

SHA1
86f22b6d1b3b13922300d4f1471fc54351616425

SHA256
e5212fb5ea441de34f31509987cc5e62c1bf5df487698c285ae05b3d078d386c

SHA512
519c2f49de5e6edc9bbc42483d1b19f6b4d84641f4f570c906834868e8ff34f1d9400b23191609139616731f77a716f13d806af02058cd5ab1e6eed444b1c25f

Download Submit
C:\Windows\SysWOW64\ipqkzhks.exe

Filesize
306KB

MD5
752c80bc6d46465747351c58e2aa5955

SHA1
d315155f9dda0545cd9ec1fb5111e389008989e8

SHA256
35343cb07fb66ad4e8b8ea2c4a8d695e7aa464be1e3e823202880d761a32dbe7

SHA512
5feff99765330d044e128bb4eddc71cf0fc0895d3cd647fc2238bae6da0a7f31efab488aaba70c532e892d9d6e76453a2d684033b2282071b3a52e1ec9dbb2b6

Download Submit
C:\Windows\SysWOW64\ipqkzhks.exe

Filesize
191KB

MD5
82e612f8e605a6de2abc5fc772967644

SHA1
3801fed9a98795c7f14392beb0c5d5f6f4b355ed

SHA256
daa16d4d88e22506b80e49409f74ad8fcf68d626a2b07ad8d931839121f84652

SHA512
0c707a2132a7d4bb9a9bacbfaf6be5e9178dffd9b131419844ff74fadfc4ba03e95d7188034990558775069871320a01f9d5c73a9aa846098d5cbe7dffd88ee7

Download Submit
C:\Windows\SysWOW64\ipqkzhks.exe

Filesize
48KB

MD5
fb3a101133e649c3894ec0f44f2cfe91

SHA1
2e25f81ca8259608e37387ed32e15e94130361a8

SHA256
eb822dbfbf69e99d7860703c40231f8dda0e3e527c852757ddacf0d87870dd58

SHA512
cdfc64c409551d5afd3e98a11738aedca9e977bc01927f9683a2a17cac2385d020b52d08d14d85015e05358f2792342388b42c7dc45070a913174b58f021a180

Download Submit
C:\Windows\SysWOW64\yjmypyhoogwawqq.exe

Filesize
233KB

MD5
9a7a8e88de4993b678c731a7652a8fec

SHA1
f3ef6ed74e0cb340de4cc2c06bb9e6cd173fa914

SHA256
54f8a00be96215d01bec159d874d4933722c49805b4fcd103459f16b59882b89

SHA512
1d52e52145603ad680b9fe3be0e1877db26120e3bceb92064be1d282a479d55c67dd230bc29f4e3fb6b54711c9e46b2a4751d39a807b5c6e0055c2fcd13eb0ee

Download Submit
C:\Windows\SysWOW64\yjmypyhoogwawqq.exe

Filesize
177KB

MD5
5b8a02dc06615c4f0efe170076cbb681

SHA1
39969b5e833aa4e7f93ebacb38a4f12a578220ac

SHA256
00d00689964c10100b0cc2577e325bf3d39e6800a833074a6d78cb0122618672

SHA512
b4ed74c81564ac54fb922159ff659295fcba4bf748367ab0f8969c5c7b6f35fbe3258a512b0e7a8270801e45ce2f00f91e84fd645866ec1df423f0414d6b9fa3

Download Submit
C:\Windows\SysWOW64\yjmypyhoogwawqq.exe

Filesize
512KB

MD5
58457ca36522d1747cb94e6c54f1f1eb

SHA1
fc6ac1c72c944b319f4f9659f59603486cb4ae37

SHA256
1e1cdaf7f418cbaacf9ac95019418a21427e64e527cde663cf847c77a79a23f3

SHA512
0c8c7e3149a81a25db751745418def5468bc27e0e629380d2e766f1de6fb4309971359914ed0d9fc9ecb0e6f49e0aaa0fff537bc97ab16d824147707748561e8

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\bqdlrlpqnlxee.exe

Filesize
200KB

MD5
04bdaf2192c0dacbdc66b022072eff92

SHA1
d38802b86f094ac43dbfd21ffd2b06b6fe8620d7

SHA256
9824525e0e335645ac08e26507c923d9926d14ac286ad80d2dc3c8fb3d7d33f7

SHA512
c7f47130c0155d9df3a53005d1087f7ff16d38f6b5b1721aaf150a37e2cfc3c1e96c1eb0c36ace358040cab61f787ccb067db404c4a203ed48805818c100cb51

Download Submit
\Windows\SysWOW64\bweijlyeua.exe

Filesize
512KB

MD5
c370e5a532da791ac9d272fa438643d3

SHA1
374f00adf36fb541ba485958eb450909a7203f65

SHA256
8fafec4fd9b525ac5a9cff5bc2423119c611196357034d7515c9f732b4567467

SHA512
b6d857deb8d0ad6d14eea02937f94bf6c584a36876ae33ccfb2db8cb97f067bcf4dc0939c27298cfe0f35a4260dd2a7a6532e1ed0bd34542d7244ed4d7b5c1d4

Download Submit
\Windows\SysWOW64\ipqkzhks.exe

Filesize
253KB

MD5
7b414ad7d50ea39e6fe099ee816fc645

SHA1
c8041267dbcb44dd0ee222803805fe57a4412db3

SHA256
99e28e03246d2ef62aa680ce4391ec102d9e648edb8bf8403b8b2703361d9355

SHA512
0f7409ab449c730c9790f7dd555c5b5d3e999e2d9c87f39cdf96bde8629632e38c80fa0a425e66135e5b1516d4f2bb66f929f6cab77bdb456d3b181bad76b0ea

Download Submit
\Windows\SysWOW64\ipqkzhks.exe

Filesize
39KB

MD5
3c9f78eb3c9a83b389f3af17ac7fe61e

SHA1
709310534662eccb93fb262b29094133b8073982

SHA256
280b661fa34a409b464db192ac4f86861f8c16a35563a00675199e8a02dc42f3

SHA512
688bd452eee5e7994f3a6de7825762c89378ded0c55a8248babbd6fc530fa1f4bb0038bbbe09bce8d9bc3a72539676579a2edd79ff650add81821da85421ac03

Download Submit
\Windows\SysWOW64\yjmypyhoogwawqq.exe

Filesize
254KB

MD5
e171a86dfaf20898e09f4635cf6633ad

SHA1
0e4d6c5a262e0bce953618702201a13cab830849

SHA256
750172ef0c0ebe23b7d096f0bc6e272e2aecb8d4638198722270422264fd5a90

SHA512
d1e82abe2bb9fcad701285e8bd67f1527bc5e7af0de29fed6023d32cfc045f87e997dc0cc83af149110f59b71277eaa23230c8fe9ef56df78c1a241888e51b54

Download Submit
memory/2112-45-0x000000002FC71000-0x000000002FC72000-memory.dmp

Filesize
4KB

Download
memory/2112-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2112-47-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/2112-61-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/2112-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2112-98-0x00000000717FD000-0x0000000071808000-memory.dmp

Filesize
44KB

Download
memory/2164-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download