6148091e925f575ac4977fc4120455f5269dcabcc850997b55dd0f7dc2567662

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39faf8ddc75b4758a1a35b1c3841a776.exe
Size

512KB
MD5

39faf8ddc75b4758a1a35b1c3841a776
SHA1

c1909d6b03d78abc536fd19c6c083a92a6c4a2d2
SHA256

6148091e925f575ac4977fc4120455f5269dcabcc850997b55dd0f7dc2567662
SHA512

de906f80ebcf32659b2bf48ed3d6e08a37f319cfeabca3148fae21394e66e2d4b9dc86ceb1537d41cd6493ea7d21a3fbb960428e9692fd57f22880dcfc65eb0a
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
356	fhhymrqbtu.exe
2688	epxwdyqtjiwwrwa.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe

Loads dropped DLL 5 IoCs

pid	Process
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2720	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ruxavnvi = "fhhymrqbtu.exe"	epxwdyqtjiwwrwa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zbsvknru = "epxwdyqtjiwwrwa.exe"	epxwdyqtjiwwrwa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "edzlqpstmuosg.exe"	epxwdyqtjiwwrwa.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	vznddxoe.exe
File opened (read-only)	\??\y:	vznddxoe.exe
File opened (read-only)	\??\a:	vznddxoe.exe
File opened (read-only)	\??\e:	vznddxoe.exe
File opened (read-only)	\??\m:	vznddxoe.exe
File opened (read-only)	\??\o:	vznddxoe.exe
File opened (read-only)	\??\p:	vznddxoe.exe
File opened (read-only)	\??\r:	vznddxoe.exe
File opened (read-only)	\??\b:	vznddxoe.exe
File opened (read-only)	\??\k:	vznddxoe.exe
File opened (read-only)	\??\q:	vznddxoe.exe
File opened (read-only)	\??\w:	vznddxoe.exe
File opened (read-only)	\??\z:	vznddxoe.exe
File opened (read-only)	\??\h:	vznddxoe.exe
File opened (read-only)	\??\i:	vznddxoe.exe
File opened (read-only)	\??\j:	vznddxoe.exe
File opened (read-only)	\??\n:	vznddxoe.exe
File opened (read-only)	\??\g:	vznddxoe.exe
File opened (read-only)	\??\l:	vznddxoe.exe
File opened (read-only)	\??\s:	vznddxoe.exe
File opened (read-only)	\??\u:	vznddxoe.exe
File opened (read-only)	\??\v:	vznddxoe.exe
File opened (read-only)	\??\x:	vznddxoe.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000a0000000144eb-5.dat	autoit_exe
behavioral1/files/0x000a0000000144eb-25.dat	autoit_exe
behavioral1/files/0x000a0000000144eb-29.dat	autoit_exe
behavioral1/files/0x0030000000014721-31.dat	autoit_exe
behavioral1/files/0x0007000000014b5b-37.dat	autoit_exe
behavioral1/files/0x0007000000014b5b-41.dat	autoit_exe
behavioral1/files/0x0007000000014b5b-42.dat	autoit_exe
behavioral1/files/0x0007000000014b5b-40.dat	autoit_exe
behavioral1/files/0x0030000000014721-39.dat	autoit_exe
behavioral1/files/0x0007000000014b5b-33.dat	autoit_exe
behavioral1/files/0x0030000000014721-27.dat	autoit_exe
behavioral1/files/0x000a0000000144eb-21.dat	autoit_exe
behavioral1/files/0x000e000000012670-20.dat	autoit_exe
behavioral1/files/0x000e000000012670-17.dat	autoit_exe
behavioral1/files/0x000e000000012670-65.dat	autoit_exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\epxwdyqtjiwwrwa.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\epxwdyqtjiwwrwa.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File created	C:\Windows\SysWOW64\vznddxoe.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\vznddxoe.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File created	C:\Windows\SysWOW64\edzlqpstmuosg.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\edzlqpstmuosg.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File created	C:\Windows\SysWOW64\fhhymrqbtu.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\fhhymrqbtu.exe	39faf8ddc75b4758a1a35b1c3841a776.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vznddxoe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vznddxoe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vznddxoe.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vznddxoe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vznddxoe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vznddxoe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vznddxoe.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vznddxoe.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33452C0B9C2182566A3177D277272CDC7CF365DC"	39faf8ddc75b4758a1a35b1c3841a776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B02047E0399F53CAB9A1329AD7B8"	39faf8ddc75b4758a1a35b1c3841a776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC60814E1DBC4B8CF7C93ECE737CC"	39faf8ddc75b4758a1a35b1c3841a776.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF834F2A851D9040D65C7E96BC90E144584267316246D7EA"	39faf8ddc75b4758a1a35b1c3841a776.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2908	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2736	vznddxoe.exe
2736	vznddxoe.exe
2736	vznddxoe.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2688	epxwdyqtjiwwrwa.exe
2876	edzlqpstmuosg.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2044	39faf8ddc75b4758a1a35b1c3841a776.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2688	epxwdyqtjiwwrwa.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2736	vznddxoe.exe
2876	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe
2756	edzlqpstmuosg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2908	WINWORD.EXE
2908	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 356	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2044 wrote to memory of 356	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2044 wrote to memory of 356	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2044 wrote to memory of 356	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2044 wrote to memory of 2688	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	22
PID 2044 wrote to memory of 2688	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	22
PID 2044 wrote to memory of 2688	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	22
PID 2044 wrote to memory of 2688	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	22
PID 2044 wrote to memory of 2736	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	23
PID 2044 wrote to memory of 2736	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	23
PID 2044 wrote to memory of 2736	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	23
PID 2044 wrote to memory of 2736	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	23
PID 2044 wrote to memory of 2876	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	24
PID 2044 wrote to memory of 2876	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	24
PID 2044 wrote to memory of 2876	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	24
PID 2044 wrote to memory of 2876	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	24
PID 2688 wrote to memory of 2720	2688	epxwdyqtjiwwrwa.exe	27
PID 2688 wrote to memory of 2720	2688	epxwdyqtjiwwrwa.exe	27
PID 2688 wrote to memory of 2720	2688	epxwdyqtjiwwrwa.exe	27
PID 2688 wrote to memory of 2720	2688	epxwdyqtjiwwrwa.exe	27
PID 2720 wrote to memory of 2756	2720	cmd.exe	26
PID 2720 wrote to memory of 2756	2720	cmd.exe	26
PID 2720 wrote to memory of 2756	2720	cmd.exe	26
PID 2720 wrote to memory of 2756	2720	cmd.exe	26
PID 2044 wrote to memory of 2908	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	28
PID 2044 wrote to memory of 2908	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	28
PID 2044 wrote to memory of 2908	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	28
PID 2044 wrote to memory of 2908	2044	39faf8ddc75b4758a1a35b1c3841a776.exe	28
PID 2908 wrote to memory of 1264	2908	WINWORD.EXE	38
PID 2908 wrote to memory of 1264	2908	WINWORD.EXE	38
PID 2908 wrote to memory of 1264	2908	WINWORD.EXE	38
PID 2908 wrote to memory of 1264	2908	WINWORD.EXE	38

C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe
"C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\epxwdyqtjiwwrwa.exe
  epxwdyqtjiwwrwa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c edzlqpstmuosg.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2720
- C:\Windows\SysWOW64\vznddxoe.exe
  vznddxoe.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2736
- C:\Windows\SysWOW64\edzlqpstmuosg.exe
  edzlqpstmuosg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2876
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1264
- C:\Windows\SysWOW64\fhhymrqbtu.exe
  fhhymrqbtu.exe
  2⤵
  - Executes dropped EXE
  PID:356

C:\Windows\SysWOW64\edzlqpstmuosg.exe
edzlqpstmuosg.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
76B

MD5
b54e883910aca7420d4164b7e2019a6b

SHA1
006454d66b877958eb5effc030782133dbc6072b

SHA256
0878f76a689ef37da4fcaa4702510ed5e3553f3e3e401022193c6eaeb4697c44

SHA512
18fbf4282930a500011ef20f2c59f2b51db604a1aff198a637390aae837791241e73d92eb8bc876d77be27343b52be2788a3e8b4f7605fbd96a6bda8e077489a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c0bef2b5169666f85cf94a5ee1576850

SHA1
5a9a48877316baf841d68e5d50ece3e987ee7515

SHA256
04bc8d296746ceba0df6fc9d29478ad220916fbc8b9de3400739264c932d4701

SHA512
b036df8c6da4320a6fc5f1148c6a45ae91dedd0e3f9b65395c2cbaabc7b9a2ba52c5517cbf5a56504cf3f7b265ea43eb105e91d3a3e403462ee0d3fd49d7e10e

Download Submit
C:\Windows\SysWOW64\edzlqpstmuosg.exe

Filesize
121KB

MD5
edbeb31149bc4c6c512e7edfd720aca0

SHA1
5fd5b2562778adc1b9e51e6b734058024ce99e1f

SHA256
ee42322756135115a78848e4523c3b433c7413b9997bd24ff17caa7ca926e498

SHA512
ef82fcadb03732ea2a2ae0f01d17530e720f175623650da7b97c2f9f4c31c3e42ef764e77d91ec761c1540e7d1957118c3b1a7ea204ea5e3c9895055674dfb49

Download Submit
C:\Windows\SysWOW64\edzlqpstmuosg.exe

Filesize
168KB

MD5
57e578c2c8adf7220cbf21e0efb8d515

SHA1
1a4442d545a3e4b0ed7f36be9a3a90e085851ab8

SHA256
bf608216e9c5eadd73832db0792aa268458b68d931481b257ae2708a023c7c1c

SHA512
446d1f7667fab058b3ba6854121fdaf3155fd6a4e0d259ba47b3e8d7649d69245d41c812912d97270cc53b08b6f7e845c5de0c07e035c50c329ce2cc3b6c0fb0

Download Submit
C:\Windows\SysWOW64\edzlqpstmuosg.exe

Filesize
126KB

MD5
0039e8e5abdb46fd6bbf68fde251ed17

SHA1
dcc3ec432164082569843bb82f13c99338013469

SHA256
74e17233ce8e03fe40df40c14d4deeafccbfbc0020a2625d8531ffe3d58ad65b

SHA512
a66ba9aed8d060be8140fbe01d31d5603ad8134369728c873512917c19ff2063a5d223c39345cb33eb803eda7e1e7a8ef1c17062c376caeae91a597ae82cd659

Download Submit
C:\Windows\SysWOW64\epxwdyqtjiwwrwa.exe

Filesize
305KB

MD5
b38fe08226a06720b12c73e39705f708

SHA1
23aa1edc8ae1dbd27ca053132020a6d20707945a

SHA256
13b0a7610c9142d9340630921c3b0442bd358ef0d4d261e6ff75e525214748d0

SHA512
c6a10429c7772265dee7a6064f786ef84392d7896e02588e9ad7fe4f00a4b8854da7e664dd8211929c4d5f29036f3f8b553dfaf85da60855939059f1112fd591

Download Submit
C:\Windows\SysWOW64\epxwdyqtjiwwrwa.exe

Filesize
200KB

MD5
f816bede655927421e5866bfed385820

SHA1
697efc6ac16132bc38e1602ce6abbf142f36095b

SHA256
e2629e42179cc6ce46f2d642410d0b1b6b244a9f8c1f1988e35b59aee1c02c72

SHA512
7267dac994cb2fc960c7ccce918e0b75f5cb4697954e59c1b5451459067c71585bba312881313dfad3277d3b07d8d74da6b95d7259d750c65813b876fdc403a1

Download Submit
C:\Windows\SysWOW64\epxwdyqtjiwwrwa.exe

Filesize
233KB

MD5
e7dfb051607b12802dd4ca7a30dff1f2

SHA1
450c1057ddc3f08b900302e3e64cba7441957868

SHA256
a9e43c400b6acfbf10b795e75dbc5252c4c803bc9f6fe325187e5ba9e4f61dd9

SHA512
bb4d5ae2df347df85b4770dc7a5f8e20aec30a607fa9ae04e6f3fb9f098516aa4fb71167bd999c77a0177ecadfc527c70f1010c28f5cf7cca3e5cdb3627918d2

Download Submit
C:\Windows\SysWOW64\fhhymrqbtu.exe

Filesize
411KB

MD5
c790592a0b3f224bebcfe512d4cc3d39

SHA1
8942093db3c8983aa027794cc7912b78a45bf4a0

SHA256
fac17f2f9657851d4e51ac94646aab7e6ef0c87592ea3b5d1b0be96027494f3c

SHA512
58fc2f19c9fc1d3e925e064c0276b520b16f1cd5922c5d8f29669aced6273845e3ab3d738845cd37e0d3e69463ac29687c41ad1444ac590d620b468f4cb8a750

Download Submit
C:\Windows\SysWOW64\fhhymrqbtu.exe

Filesize
24KB

MD5
c788faac50aeafde5f585c1fa3cd49ff

SHA1
1709713fc1d9ae2a149e3b3863ea75f82ebec905

SHA256
f13c177951b51128f6e2640bb0872dd36d794a81c05d7c0fa1f2b69b0c4af6c3

SHA512
b450d0356dd36c1d650b263e595016a46cfaea4ccc0209b987a2024ed332a2cbfde947d3755ccb3becda1b1164b03da3be9b12639f6d33f872bdfa22490510c3

Download Submit
C:\Windows\SysWOW64\vznddxoe.exe

Filesize
136KB

MD5
2802a5bddcaa71c640c215d080fb8fb1

SHA1
b375b06aaa8b2184730d48aa0535ba343a898ab8

SHA256
80b869b8a2239777e4fdec6aba19c7aa9e3d8796c24e0d07fdaa53a1d2f3eb0f

SHA512
5dd7e5b038455a67da8ab82f7a57cd2690ca12e42365c43b87692f777cc44e69b43660db6ca398396eaadbbee30162b0fa32e0e24c2b1e07ddc17c4deebabcbb

Download Submit
C:\Windows\SysWOW64\vznddxoe.exe

Filesize
89KB

MD5
19b1970be8aa96972c22e79325d7ced7

SHA1
dd6417a644e942d6a6a78446bcb9b3628788042c

SHA256
538d650ec1201abfc6fc6dbcefec7b02c3036febf86d24db812bc1677feb5bc1

SHA512
778e427d36a1d0c6daf4b26b98939393a588820812c7fe08f080ec0672723d526e73ec733a1118cecdb3650703d77a73d45bba66b46a8a2b479f86b87eff0b51

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\edzlqpstmuosg.exe

Filesize
132KB

MD5
1eaf1defe404d8e981d52a70c1ba3b87

SHA1
fee707026e6cac03c22b8deb903ad980d8dc00d5

SHA256
d1ef9e90c11b5864df5c867786d4d330cd6a06ad14bab035c4c0160ad335d034

SHA512
efa44b15c7be958803b6bad02362cde6423f535e4622a3f86aeb063ae5a4ac86b586270242ab7c04615c5fd56c8c4caca5db65ae92513d9fb9a40e6d8065a37a

Download Submit
\Windows\SysWOW64\edzlqpstmuosg.exe

Filesize
231KB

MD5
55a62cede140f56972fad46d977dfc2e

SHA1
4ddf0e40b87ea5d8739fa3183ce6e8d30cad1783

SHA256
2771d00d8abbb7387e5216245b38c6e0fb1f72192b51c1301e7e2d7f19b0274d

SHA512
511117a87eb348eedc7ba1ca48ceb094506320e40dbeda23625b782c4bdeb73f0885aaf5b9fd2f770f7965728a8957f063ed3e6d5c76879d7a6c62451800b8b6

Download Submit
\Windows\SysWOW64\epxwdyqtjiwwrwa.exe

Filesize
256KB

MD5
5313b4526a13263f7477f226b00d182e

SHA1
6695d1d3e558e0e59464d45095c17956deb077d2

SHA256
1baad4e0b4f7feea700d22909b93ac8c0a057043cafdeb32241f6a8b931ae389

SHA512
356d6c4819143144fdda6c1215556906a84708fc76e64df02eee5afa6ba738d7663a003302fd8d6c54b6990cff26437648693d391ef84f23ec9701ddc1d4ceb0

Download Submit
\Windows\SysWOW64\fhhymrqbtu.exe

Filesize
377KB

MD5
6b1d653753cf1a450a4fd21a54d9aec7

SHA1
c1ab05f693812825b6dabdfae15eb2b7d7ef5054

SHA256
d57219e6152c676660cad3771cd72ee47e5c6babea49e525ed9a2d02d34ecacd

SHA512
f4a7e2417ad4a7e8ffd07b625fe50394f8c034bc8dc69976ee71e796f1d40e82c47399ae35ade7d4179952e9d26601b7de549fcf45a7246df5ab943679cb2674

Download Submit
\Windows\SysWOW64\vznddxoe.exe

Filesize
172KB

MD5
3bb2d82ccd5483c9a4b6970cb94578ec

SHA1
1eba55939e2bac0e93b53072f4b343a5d299b5d4

SHA256
3c516b9a228e62145cd9e431af8f0089a2606f50a03036ba56125970547c7a13

SHA512
6973b96e1775192bfbaa75a0462c33213f82a2d75658cf3713789ce8339510bb15920b61e19f9625a6582343043ed84722d7261282dc66eaae1547c8b906d713

Download Submit
memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2908-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2908-46-0x00000000713BD000-0x00000000713C8000-memory.dmp

Filesize
44KB

Download
memory/2908-44-0x000000002FAE1000-0x000000002FAE2000-memory.dmp

Filesize
4KB

Download
memory/2908-79-0x00000000713BD000-0x00000000713C8000-memory.dmp

Filesize
44KB

Download
memory/2908-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download