d2cfff29a8f3ca64f2b28426ccc1b5f8750a2701b2f5b8f7b0c81ad2f3d4c714

Analysis

max time kernel
56s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

696ff618dc5de2b72fd61a9e0536f172.exe
Size

512KB
MD5

696ff618dc5de2b72fd61a9e0536f172
SHA1

853a0b14b1af1a81f43c3bf7c23e125740feb322
SHA256

d2cfff29a8f3ca64f2b28426ccc1b5f8750a2701b2f5b8f7b0c81ad2f3d4c714
SHA512

8c481f21dee562ce7d71e7aa7442e0fe3f490c34260140ed6e165d4bc8f7a19eb6205795a05a875fa4284f4efcc30b3fb44668c82efaf56b44756c4f99102fbf
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	pnplfwewaz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	pnplfwewaz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	pnplfwewaz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pnplfwewaz.exe

Executes dropped EXE 5 IoCs

pid	Process
2668	pnplfwewaz.exe
2780	lglygswyybjgmhb.exe
2692	lhyabkra.exe
2876	pxecugelaalgd.exe
1712	lhyabkra.exe

Loads dropped DLL 5 IoCs

pid	Process
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
2668	pnplfwewaz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	pnplfwewaz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uakcgkrl = "pnplfwewaz.exe"	lglygswyybjgmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rtwfxbob = "lglygswyybjgmhb.exe"	lglygswyybjgmhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pxecugelaalgd.exe"	lglygswyybjgmhb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\h:	pnplfwewaz.exe
File opened (read-only)	\??\j:	pnplfwewaz.exe
File opened (read-only)	\??\i:	lhyabkra.exe
File opened (read-only)	\??\i:	lhyabkra.exe
File opened (read-only)	\??\r:	pnplfwewaz.exe
File opened (read-only)	\??\e:	lhyabkra.exe
File opened (read-only)	\??\o:	lhyabkra.exe
File opened (read-only)	\??\u:	lhyabkra.exe
File opened (read-only)	\??\t:	lhyabkra.exe
File opened (read-only)	\??\n:	pnplfwewaz.exe
File opened (read-only)	\??\q:	pnplfwewaz.exe
File opened (read-only)	\??\t:	pnplfwewaz.exe
File opened (read-only)	\??\l:	lhyabkra.exe
File opened (read-only)	\??\w:	lhyabkra.exe
File opened (read-only)	\??\b:	pnplfwewaz.exe
File opened (read-only)	\??\u:	pnplfwewaz.exe
File opened (read-only)	\??\a:	lhyabkra.exe
File opened (read-only)	\??\r:	lhyabkra.exe
File opened (read-only)	\??\u:	lhyabkra.exe
File opened (read-only)	\??\p:	pnplfwewaz.exe
File opened (read-only)	\??\j:	lhyabkra.exe
File opened (read-only)	\??\n:	lhyabkra.exe
File opened (read-only)	\??\n:	lhyabkra.exe
File opened (read-only)	\??\v:	lhyabkra.exe
File opened (read-only)	\??\l:	pnplfwewaz.exe
File opened (read-only)	\??\x:	pnplfwewaz.exe
File opened (read-only)	\??\m:	lhyabkra.exe
File opened (read-only)	\??\o:	pnplfwewaz.exe
File opened (read-only)	\??\k:	lhyabkra.exe
File opened (read-only)	\??\x:	lhyabkra.exe
File opened (read-only)	\??\a:	pnplfwewaz.exe
File opened (read-only)	\??\y:	pnplfwewaz.exe
File opened (read-only)	\??\b:	lhyabkra.exe
File opened (read-only)	\??\l:	lhyabkra.exe
File opened (read-only)	\??\b:	lhyabkra.exe
File opened (read-only)	\??\y:	lhyabkra.exe
File opened (read-only)	\??\z:	pnplfwewaz.exe
File opened (read-only)	\??\t:	lhyabkra.exe
File opened (read-only)	\??\p:	lhyabkra.exe
File opened (read-only)	\??\h:	lhyabkra.exe
File opened (read-only)	\??\o:	lhyabkra.exe
File opened (read-only)	\??\r:	lhyabkra.exe
File opened (read-only)	\??\s:	lhyabkra.exe
File opened (read-only)	\??\g:	pnplfwewaz.exe
File opened (read-only)	\??\i:	pnplfwewaz.exe
File opened (read-only)	\??\m:	pnplfwewaz.exe
File opened (read-only)	\??\e:	lhyabkra.exe
File opened (read-only)	\??\y:	lhyabkra.exe
File opened (read-only)	\??\v:	pnplfwewaz.exe
File opened (read-only)	\??\g:	lhyabkra.exe
File opened (read-only)	\??\q:	lhyabkra.exe
File opened (read-only)	\??\s:	lhyabkra.exe
File opened (read-only)	\??\s:	pnplfwewaz.exe
File opened (read-only)	\??\q:	lhyabkra.exe
File opened (read-only)	\??\e:	pnplfwewaz.exe
File opened (read-only)	\??\w:	pnplfwewaz.exe
File opened (read-only)	\??\p:	lhyabkra.exe
File opened (read-only)	\??\v:	lhyabkra.exe
File opened (read-only)	\??\z:	lhyabkra.exe
File opened (read-only)	\??\k:	lhyabkra.exe
File opened (read-only)	\??\j:	lhyabkra.exe
File opened (read-only)	\??\k:	pnplfwewaz.exe
File opened (read-only)	\??\a:	lhyabkra.exe
File opened (read-only)	\??\x:	lhyabkra.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	pnplfwewaz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	pnplfwewaz.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/840-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x00100000000133bf-5.dat	autoit_exe
behavioral1/files/0x0009000000012281-17.dat	autoit_exe
behavioral1/files/0x00100000000133bf-22.dat	autoit_exe
behavioral1/files/0x002f000000015c93-36.dat	autoit_exe
behavioral1/files/0x0007000000015da6-34.dat	autoit_exe
behavioral1/files/0x0007000000015da6-39.dat	autoit_exe
behavioral1/files/0x002f000000015c93-31.dat	autoit_exe
behavioral1/files/0x0009000000012281-24.dat	autoit_exe
behavioral1/files/0x0009000000012281-20.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\lglygswyybjgmhb.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File created	C:\Windows\SysWOW64\lhyabkra.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File opened for modification	C:\Windows\SysWOW64\lhyabkra.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File opened for modification	C:\Windows\SysWOW64\pxecugelaalgd.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File opened for modification	C:\Windows\SysWOW64\pnplfwewaz.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File created	C:\Windows\SysWOW64\lglygswyybjgmhb.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File created	C:\Windows\SysWOW64\pxecugelaalgd.exe	696ff618dc5de2b72fd61a9e0536f172.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	pnplfwewaz.exe
File created	C:\Windows\SysWOW64\pnplfwewaz.exe	696ff618dc5de2b72fd61a9e0536f172.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SplitUnprotect.doc.exe	lhyabkra.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lhyabkra.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lhyabkra.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lhyabkra.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lhyabkra.exe
File opened for modification	C:\Program Files\DisconnectStart.doc.exe	lhyabkra.exe
File opened for modification	C:\Program Files\SplitUnprotect.nal	lhyabkra.exe
File opened for modification	\??\c:\Program Files\SplitUnprotect.doc.exe	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lhyabkra.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	lhyabkra.exe
File created	\??\c:\Program Files\DisconnectStart.doc.exe	lhyabkra.exe
File opened for modification	C:\Program Files\DisconnectStart.doc.exe	lhyabkra.exe
File opened for modification	C:\Program Files\DisconnectStart.nal	lhyabkra.exe
File opened for modification	C:\Program Files\DisconnectStart.nal	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	lhyabkra.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	lhyabkra.exe
File opened for modification	\??\c:\Program Files\DisconnectStart.doc.exe	lhyabkra.exe
File opened for modification	\??\c:\Program Files\DisconnectStart.doc.exe	lhyabkra.exe
File opened for modification	C:\Program Files\SplitUnprotect.nal	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lhyabkra.exe
File opened for modification	C:\Program Files\SplitUnprotect.doc.exe	lhyabkra.exe
File opened for modification	\??\c:\Program Files\SplitUnprotect.doc.exe	lhyabkra.exe
File created	\??\c:\Program Files\SplitUnprotect.doc.exe	lhyabkra.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	lhyabkra.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	696ff618dc5de2b72fd61a9e0536f172.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	pnplfwewaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB4FE6F21DBD20ED0A58B7B9166"	696ff618dc5de2b72fd61a9e0536f172.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	pnplfwewaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	pnplfwewaz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	pnplfwewaz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	696ff618dc5de2b72fd61a9e0536f172.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C77514E5DAC4B9CC7CE6ED9134CB"	696ff618dc5de2b72fd61a9e0536f172.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1412	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
1712	lhyabkra.exe
1712	lhyabkra.exe
1712	lhyabkra.exe
1712	lhyabkra.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2780	lglygswyybjgmhb.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
1712	lhyabkra.exe
1712	lhyabkra.exe
1712	lhyabkra.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
840	696ff618dc5de2b72fd61a9e0536f172.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2668	pnplfwewaz.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2780	lglygswyybjgmhb.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2692	lhyabkra.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
2876	pxecugelaalgd.exe
1712	lhyabkra.exe
1712	lhyabkra.exe
1712	lhyabkra.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1412	WINWORD.EXE
1412	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 2668	840	696ff618dc5de2b72fd61a9e0536f172.exe	28
PID 840 wrote to memory of 2668	840	696ff618dc5de2b72fd61a9e0536f172.exe	28
PID 840 wrote to memory of 2668	840	696ff618dc5de2b72fd61a9e0536f172.exe	28
PID 840 wrote to memory of 2668	840	696ff618dc5de2b72fd61a9e0536f172.exe	28
PID 840 wrote to memory of 2780	840	696ff618dc5de2b72fd61a9e0536f172.exe	33
PID 840 wrote to memory of 2780	840	696ff618dc5de2b72fd61a9e0536f172.exe	33
PID 840 wrote to memory of 2780	840	696ff618dc5de2b72fd61a9e0536f172.exe	33
PID 840 wrote to memory of 2780	840	696ff618dc5de2b72fd61a9e0536f172.exe	33
PID 840 wrote to memory of 2692	840	696ff618dc5de2b72fd61a9e0536f172.exe	31
PID 840 wrote to memory of 2692	840	696ff618dc5de2b72fd61a9e0536f172.exe	31
PID 840 wrote to memory of 2692	840	696ff618dc5de2b72fd61a9e0536f172.exe	31
PID 840 wrote to memory of 2692	840	696ff618dc5de2b72fd61a9e0536f172.exe	31
PID 840 wrote to memory of 2876	840	696ff618dc5de2b72fd61a9e0536f172.exe	30
PID 840 wrote to memory of 2876	840	696ff618dc5de2b72fd61a9e0536f172.exe	30
PID 840 wrote to memory of 2876	840	696ff618dc5de2b72fd61a9e0536f172.exe	30
PID 840 wrote to memory of 2876	840	696ff618dc5de2b72fd61a9e0536f172.exe	30
PID 2668 wrote to memory of 1712	2668	pnplfwewaz.exe	29
PID 2668 wrote to memory of 1712	2668	pnplfwewaz.exe	29
PID 2668 wrote to memory of 1712	2668	pnplfwewaz.exe	29
PID 2668 wrote to memory of 1712	2668	pnplfwewaz.exe	29
PID 840 wrote to memory of 1412	840	696ff618dc5de2b72fd61a9e0536f172.exe	32
PID 840 wrote to memory of 1412	840	696ff618dc5de2b72fd61a9e0536f172.exe	32
PID 840 wrote to memory of 1412	840	696ff618dc5de2b72fd61a9e0536f172.exe	32
PID 840 wrote to memory of 1412	840	696ff618dc5de2b72fd61a9e0536f172.exe	32
PID 1412 wrote to memory of 764	1412	WINWORD.EXE	36
PID 1412 wrote to memory of 764	1412	WINWORD.EXE	36
PID 1412 wrote to memory of 764	1412	WINWORD.EXE	36
PID 1412 wrote to memory of 764	1412	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\696ff618dc5de2b72fd61a9e0536f172.exe
"C:\Users\Admin\AppData\Local\Temp\696ff618dc5de2b72fd61a9e0536f172.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\pnplfwewaz.exe
  pnplfwewaz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\lhyabkra.exe
    C:\Windows\system32\lhyabkra.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1712
- C:\Windows\SysWOW64\pxecugelaalgd.exe
  pxecugelaalgd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2876
- C:\Windows\SysWOW64\lhyabkra.exe
  lhyabkra.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2692
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:764
- C:\Windows\SysWOW64\lglygswyybjgmhb.exe
  lglygswyybjgmhb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lglygswyybjgmhb.exe

Filesize
512KB

MD5
0462046a0b84f6336ed04917207889ec

SHA1
8fb063eb35363eec580ade7fe119d06eab295a55

SHA256
f862d6e66fc4f9a80b42e7fcd6b8f87b742e2a368c11e557c5e32b43cacd659d

SHA512
3b307722a5cc9fe205073c83962bac4b43b6fb4c51fbc0849851354fbb59e39daa4d0f18676b233eb94168bb714f3de57ad0f64a79eef9006363db3c718667f7

Download Submit
C:\Windows\SysWOW64\lhyabkra.exe

Filesize
86KB

MD5
05d53073f755dd677cf809335471ba55

SHA1
6f22614c07b7de97e8f4c67c58df004df89bbe3b

SHA256
f4c193e283a44e96ee9da022ad2198face202881b3fd8e25b1fb80df74e19d6b

SHA512
6f604791cb9588c1d7002a527b9a12ee1437987ca8eebed5c0c78440530be75bbeff6fbb8b4bd10413ec7fa88f2513f0c1aa88bf3621f2b6670ae4332742d3ce

Download Submit
C:\Windows\SysWOW64\lhyabkra.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
C:\Windows\SysWOW64\pnplfwewaz.exe

Filesize
382KB

MD5
badd716c7c48a8241873d9251da496d1

SHA1
6bd2a072c8f64a1780fe75d983cb7b6584985c6d

SHA256
ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7

SHA512
7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

Download Submit
C:\Windows\SysWOW64\pnplfwewaz.exe

Filesize
512KB

MD5
fb0bf0865f10c93954fc053f78bfb956

SHA1
f863c09b750e61af77bb9ab6ffc207f429f9650f

SHA256
72e07b7192bf8c4e10d9f3ab901660b28052e305657eeff56d310a8ec3a17afb

SHA512
f0b03033ef9ef62e6bcd6fcab7cef270d45184e4c3b2237b10cc093b5237675966fa545ca07e15c32d0a602da55f82b399ba541c584ee5e2dff022c438397628

Download Submit
\Windows\SysWOW64\lglygswyybjgmhb.exe

Filesize
93KB

MD5
257f28bd5bdc2b725434b7ab570814e7

SHA1
972446e0f8d210c5d6f42a57a921391a236d564d

SHA256
d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688

SHA512
c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

Download Submit
\Windows\SysWOW64\pnplfwewaz.exe

Filesize
150KB

MD5
e6525bc843b2e9deeadb8f5a45310bcc

SHA1
146ca2f84bc371a7a9954f458fc184dcabf18181

SHA256
7a0dcfe62b45c11e415e88ea423f7d6efe312497d20c20647ab9845549bd7c87

SHA512
717f6fb4e3f41618195e2ace4687355823cf7a1466829699a574f689e9156d992254715c80f56fdab0efee0ddf8f36c422c6b85ce08fd994d7a987c93ec7d64b

Download Submit
\Windows\SysWOW64\pxecugelaalgd.exe

Filesize
347KB

MD5
d084325687bb449e4bfae8c3b6ea911d

SHA1
94c53a9a6a4d647489a13595d125ecf04d07609d

SHA256
b699b4641abc2b553f57a41a47acc1ec0e5db27b30a6c6f684d3da2b838b9364

SHA512
e4f516a0784ec8841f7a6a60c5d432b28fc5bf0c0c59ca4c9985a71a7b266f9a58de78d145c39375d6ea989d8d75d4a0a13bddc26212664cbe2ccfef2a90739c

Download Submit
memory/840-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/1412-45-0x000000002F441000-0x000000002F442000-memory.dmp

Filesize
4KB

Download
memory/1412-52-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/1412-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1412-86-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/1412-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download