896e6429bf188ede54e16b81c76631871a427c3d17dd4d82185f641015ba5bc0

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67450bf4bafa5415d22cf2608e9b729b.exe
Size

512KB
MD5

67450bf4bafa5415d22cf2608e9b729b
SHA1

84084805d8edd3694e67f3f0a66e37728a8a3b60
SHA256

896e6429bf188ede54e16b81c76631871a427c3d17dd4d82185f641015ba5bc0
SHA512

45680a55166e8ac63a7456d3814192e10315ac0121c042267e1abbc001033285c9390d920df2e2493e0d45df52116e3d68d1fd56dba570351df6aa8d581329c3
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj61:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5A

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ojdyryfrxn.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ojdyryfrxn.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ojdyryfrxn.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ojdyryfrxn.exe

Executes dropped EXE 5 IoCs

pid	Process
2204	ojdyryfrxn.exe
2500	ovmkjqpmwjwnthk.exe
2056	fxofscvd.exe
2776	fbobrvfrtzmwg.exe
2880	fxofscvd.exe

Loads dropped DLL 5 IoCs

pid	Process
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
2204	ojdyryfrxn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ojdyryfrxn.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\scobgrxq = "ojdyryfrxn.exe"	ovmkjqpmwjwnthk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ysrcvunk = "ovmkjqpmwjwnthk.exe"	ovmkjqpmwjwnthk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fbobrvfrtzmwg.exe"	ovmkjqpmwjwnthk.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	fxofscvd.exe
File opened (read-only)	\??\y:	fxofscvd.exe
File opened (read-only)	\??\i:	ojdyryfrxn.exe
File opened (read-only)	\??\l:	ojdyryfrxn.exe
File opened (read-only)	\??\p:	fxofscvd.exe
File opened (read-only)	\??\o:	fxofscvd.exe
File opened (read-only)	\??\p:	fxofscvd.exe
File opened (read-only)	\??\s:	ojdyryfrxn.exe
File opened (read-only)	\??\s:	fxofscvd.exe
File opened (read-only)	\??\m:	fxofscvd.exe
File opened (read-only)	\??\q:	fxofscvd.exe
File opened (read-only)	\??\w:	fxofscvd.exe
File opened (read-only)	\??\z:	fxofscvd.exe
File opened (read-only)	\??\h:	fxofscvd.exe
File opened (read-only)	\??\v:	fxofscvd.exe
File opened (read-only)	\??\h:	ojdyryfrxn.exe
File opened (read-only)	\??\u:	ojdyryfrxn.exe
File opened (read-only)	\??\l:	fxofscvd.exe
File opened (read-only)	\??\g:	fxofscvd.exe
File opened (read-only)	\??\n:	fxofscvd.exe
File opened (read-only)	\??\t:	ojdyryfrxn.exe
File opened (read-only)	\??\k:	fxofscvd.exe
File opened (read-only)	\??\o:	fxofscvd.exe
File opened (read-only)	\??\r:	fxofscvd.exe
File opened (read-only)	\??\g:	ojdyryfrxn.exe
File opened (read-only)	\??\b:	fxofscvd.exe
File opened (read-only)	\??\v:	fxofscvd.exe
File opened (read-only)	\??\z:	fxofscvd.exe
File opened (read-only)	\??\o:	ojdyryfrxn.exe
File opened (read-only)	\??\r:	fxofscvd.exe
File opened (read-only)	\??\b:	ojdyryfrxn.exe
File opened (read-only)	\??\j:	ojdyryfrxn.exe
File opened (read-only)	\??\y:	ojdyryfrxn.exe
File opened (read-only)	\??\b:	fxofscvd.exe
File opened (read-only)	\??\j:	fxofscvd.exe
File opened (read-only)	\??\k:	fxofscvd.exe
File opened (read-only)	\??\s:	fxofscvd.exe
File opened (read-only)	\??\y:	fxofscvd.exe
File opened (read-only)	\??\a:	fxofscvd.exe
File opened (read-only)	\??\m:	ojdyryfrxn.exe
File opened (read-only)	\??\z:	ojdyryfrxn.exe
File opened (read-only)	\??\g:	fxofscvd.exe
File opened (read-only)	\??\x:	fxofscvd.exe
File opened (read-only)	\??\e:	fxofscvd.exe
File opened (read-only)	\??\w:	fxofscvd.exe
File opened (read-only)	\??\q:	ojdyryfrxn.exe
File opened (read-only)	\??\n:	ojdyryfrxn.exe
File opened (read-only)	\??\x:	ojdyryfrxn.exe
File opened (read-only)	\??\u:	fxofscvd.exe
File opened (read-only)	\??\l:	fxofscvd.exe
File opened (read-only)	\??\x:	fxofscvd.exe
File opened (read-only)	\??\a:	ojdyryfrxn.exe
File opened (read-only)	\??\t:	fxofscvd.exe
File opened (read-only)	\??\q:	fxofscvd.exe
File opened (read-only)	\??\p:	ojdyryfrxn.exe
File opened (read-only)	\??\j:	fxofscvd.exe
File opened (read-only)	\??\w:	ojdyryfrxn.exe
File opened (read-only)	\??\i:	fxofscvd.exe
File opened (read-only)	\??\m:	fxofscvd.exe
File opened (read-only)	\??\e:	ojdyryfrxn.exe
File opened (read-only)	\??\r:	ojdyryfrxn.exe
File opened (read-only)	\??\v:	ojdyryfrxn.exe
File opened (read-only)	\??\e:	fxofscvd.exe
File opened (read-only)	\??\t:	fxofscvd.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ojdyryfrxn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ojdyryfrxn.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000c000000013378-5.dat	autoit_exe
behavioral1/files/0x000d00000001224a-17.dat	autoit_exe
behavioral1/files/0x002a0000000165c9-27.dat	autoit_exe
behavioral1/files/0x0007000000016c74-37.dat	autoit_exe
behavioral1/files/0x002a0000000165c9-42.dat	autoit_exe
behavioral1/files/0x00020000000001bf-49.dat	autoit_exe
behavioral1/files/0x0005000000019597-72.dat	autoit_exe
behavioral1/files/0x0005000000019599-81.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ojdyryfrxn.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File created	C:\Windows\SysWOW64\fxofscvd.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File opened for modification	C:\Windows\SysWOW64\fbobrvfrtzmwg.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ojdyryfrxn.exe
File opened for modification	C:\Windows\SysWOW64\ojdyryfrxn.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File created	C:\Windows\SysWOW64\ovmkjqpmwjwnthk.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File opened for modification	C:\Windows\SysWOW64\ovmkjqpmwjwnthk.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File opened for modification	C:\Windows\SysWOW64\fxofscvd.exe	67450bf4bafa5415d22cf2608e9b729b.exe
File created	C:\Windows\SysWOW64\fbobrvfrtzmwg.exe	67450bf4bafa5415d22cf2608e9b729b.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fxofscvd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fxofscvd.exe
File created	\??\c:\Program Files\BlockInvoke.doc.exe	fxofscvd.exe
File opened for modification	C:\Program Files\BlockInvoke.nal	fxofscvd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	fxofscvd.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fxofscvd.exe
File opened for modification	\??\c:\Program Files\BlockInvoke.doc.exe	fxofscvd.exe
File opened for modification	C:\Program Files\BlockInvoke.doc.exe	fxofscvd.exe
File opened for modification	C:\Program Files\BlockInvoke.doc.exe	fxofscvd.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fxofscvd.exe
File opened for modification	\??\c:\Program Files\BlockInvoke.doc.exe	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	fxofscvd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fxofscvd.exe
File opened for modification	C:\Program Files\BlockInvoke.nal	fxofscvd.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fxofscvd.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fxofscvd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fxofscvd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	67450bf4bafa5415d22cf2608e9b729b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	ojdyryfrxn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	ojdyryfrxn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	ojdyryfrxn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	ojdyryfrxn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	ojdyryfrxn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ojdyryfrxn.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2472	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe
2500	ovmkjqpmwjwnthk.exe
2776	fbobrvfrtzmwg.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
1720	67450bf4bafa5415d22cf2608e9b729b.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2500	ovmkjqpmwjwnthk.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2204	ojdyryfrxn.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2776	fbobrvfrtzmwg.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2056	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe
2880	fxofscvd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2472	WINWORD.EXE
2472	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2204	1720	67450bf4bafa5415d22cf2608e9b729b.exe	28
PID 1720 wrote to memory of 2204	1720	67450bf4bafa5415d22cf2608e9b729b.exe	28
PID 1720 wrote to memory of 2204	1720	67450bf4bafa5415d22cf2608e9b729b.exe	28
PID 1720 wrote to memory of 2204	1720	67450bf4bafa5415d22cf2608e9b729b.exe	28
PID 1720 wrote to memory of 2500	1720	67450bf4bafa5415d22cf2608e9b729b.exe	29
PID 1720 wrote to memory of 2500	1720	67450bf4bafa5415d22cf2608e9b729b.exe	29
PID 1720 wrote to memory of 2500	1720	67450bf4bafa5415d22cf2608e9b729b.exe	29
PID 1720 wrote to memory of 2500	1720	67450bf4bafa5415d22cf2608e9b729b.exe	29
PID 1720 wrote to memory of 2056	1720	67450bf4bafa5415d22cf2608e9b729b.exe	31
PID 1720 wrote to memory of 2056	1720	67450bf4bafa5415d22cf2608e9b729b.exe	31
PID 1720 wrote to memory of 2056	1720	67450bf4bafa5415d22cf2608e9b729b.exe	31
PID 1720 wrote to memory of 2056	1720	67450bf4bafa5415d22cf2608e9b729b.exe	31
PID 1720 wrote to memory of 2776	1720	67450bf4bafa5415d22cf2608e9b729b.exe	30
PID 1720 wrote to memory of 2776	1720	67450bf4bafa5415d22cf2608e9b729b.exe	30
PID 1720 wrote to memory of 2776	1720	67450bf4bafa5415d22cf2608e9b729b.exe	30
PID 1720 wrote to memory of 2776	1720	67450bf4bafa5415d22cf2608e9b729b.exe	30
PID 2204 wrote to memory of 2880	2204	ojdyryfrxn.exe	32
PID 2204 wrote to memory of 2880	2204	ojdyryfrxn.exe	32
PID 2204 wrote to memory of 2880	2204	ojdyryfrxn.exe	32
PID 2204 wrote to memory of 2880	2204	ojdyryfrxn.exe	32
PID 1720 wrote to memory of 2472	1720	67450bf4bafa5415d22cf2608e9b729b.exe	33
PID 1720 wrote to memory of 2472	1720	67450bf4bafa5415d22cf2608e9b729b.exe	33
PID 1720 wrote to memory of 2472	1720	67450bf4bafa5415d22cf2608e9b729b.exe	33
PID 1720 wrote to memory of 2472	1720	67450bf4bafa5415d22cf2608e9b729b.exe	33
PID 2472 wrote to memory of 1696	2472	WINWORD.EXE	36
PID 2472 wrote to memory of 1696	2472	WINWORD.EXE	36
PID 2472 wrote to memory of 1696	2472	WINWORD.EXE	36
PID 2472 wrote to memory of 1696	2472	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\67450bf4bafa5415d22cf2608e9b729b.exe
"C:\Users\Admin\AppData\Local\Temp\67450bf4bafa5415d22cf2608e9b729b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\ojdyryfrxn.exe
  ojdyryfrxn.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\fxofscvd.exe
    C:\Windows\system32\fxofscvd.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2880
- C:\Windows\SysWOW64\ovmkjqpmwjwnthk.exe
  ovmkjqpmwjwnthk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2500
- C:\Windows\SysWOW64\fbobrvfrtzmwg.exe
  fbobrvfrtzmwg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2776
- C:\Windows\SysWOW64\fxofscvd.exe
  fxofscvd.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2056
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
4949ec4b6ba188fd9810842faaa2dbdd

SHA1
0ac24701566c75d209dc5e78fb4d89b10245a0e1

SHA256
b41ed6031944473a2315f829f11609f03bd123e4fa2e3324967d58d49d39d0ca

SHA512
4d389c5a298d2bcfcf5b27b23218884e2ab35228f2e60fac607c12581a2c897d68b404cb7425ec81edf070329c20d89fa7cd9310dd1627406901d2b8bf7ce45d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
76038042b6a9f9b870b77af71e77b44d

SHA1
53c818b46e79758606146c428a82b3aa9b2dc9f5

SHA256
130e31281d7917abde2682a2602466cad4e581d380854166a7a103f893d4949a

SHA512
57d3c3ef28bf3a9f512ed8259be9498c950b02a24c545b5fa3a3f2486fb2ad7f8f8f8a7014639be1fc8af2541ae6c512fa41446eccfb6520e34c87289e3ba9d1

Download Submit
C:\Program Files\BlockInvoke.doc.exe

Filesize
512KB

MD5
55b7975de1e52f1347ed7f0b861e0d3a

SHA1
04b92820b24ddb02f3f90b91b676b5f817e15c48

SHA256
51ac4fb32b6d5fe77094be13000a410202e19cc6e96c7bb4d16122b93ddb3573

SHA512
8c7d8ddcd80915dc27b0d7c6335e0eb5a6eec08acb98e30c522dbea570cc8b2c13de333f99e4878e10606bd7481d4c934e0387df06874607196481303f7e0044

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
4a647da77010ad6362cafd4696e99bf2

SHA1
829fc7a02556f992fd4961f81688fda1f3973c96

SHA256
66110ea080ff5eb01e1853f9a7560f82b8b7386474cce071db8cf7f4ddce5eb3

SHA512
8c72d92284d02335a17145d13f06d70f85ed579be6f2a1e461fc3cf0df070a264862c444d90e2710b02b74b35a224960c3c6100fa4cf7946718a3e3c481693c2

Download Submit
C:\Windows\SysWOW64\fbobrvfrtzmwg.exe

Filesize
512KB

MD5
463206145e0117a020ce9af34586c17e

SHA1
45038c7d7bae2b074f6846c53d188be2d7e6bca7

SHA256
2431e0cc8f93617b1ea43eec3a7b36fca42580dcf99b44e657e02552c146d762

SHA512
e098c2dd64b5ec86fa1613fd994eb9763c95d391b427516f88cf77eb1ba2d2431cab83406886deb01955dd73fb518c34a8f2fa51adafc7615877ebf8d4d6563b

Download Submit
C:\Windows\SysWOW64\ovmkjqpmwjwnthk.exe

Filesize
512KB

MD5
ea65cc626c4732862c8a1f58a9dc1ac8

SHA1
a6ecdba4cc8c05d8bcaa396f6a481e92286e86d2

SHA256
270678bd0a354c29cfbdbdcbf3d974ce62d057626da8eef46385150bd914337b

SHA512
69813c3e55a83ef99d7ef92aa5152ec7edeca63c035f01f11e499b484a0a81ff2b9647178663c02a99776d1daf9e9bdf364057fdc4e7b41d8d9e2cd5ad9ca566

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\fxofscvd.exe

Filesize
512KB

MD5
f7c67ee27bcde75348991fa239c964a8

SHA1
ee3120243a65f80b8b10780175af671de9655c58

SHA256
f247315046969e726a0c118ade9d2751a4222ed2fedf22f9c15ebd098c7f08b2

SHA512
1c18289e02dfb4ca427944acd9386d84827c7837723615c9c0bb46278c7269c49318ad745ae513ee51b2c65795db613a5f4a7c45375905c60df06b7b283eb350

Download Submit
\Windows\SysWOW64\fxofscvd.exe

Filesize
192KB

MD5
110f40dbeb901f612cee1dc242fdb309

SHA1
0d668d172ef81b3f17c1f870513988629c697600

SHA256
2776ac73ff5e792a5a804395643f25e611d6eb66037ffd261caacd95ae084b82

SHA512
076fda5dfa04f3c443f91657f607ef768185b7753767eb70d557635d398a76f85c8b3c19c7d864f9c342ced1af18c9c98f6f4da4b7bb86dca104230fa71b6df1

Download Submit
\Windows\SysWOW64\ojdyryfrxn.exe

Filesize
512KB

MD5
e41866acf4fb5f75fb21976921b0bde0

SHA1
daa0dfd9f5304899177dc92f610d12fff4ecc35c

SHA256
0ce4bfe7a62949eaa417b276f7e92aa1157760fe5ab56203ba59b6524a75cbda

SHA512
1405d76b6bbca2db72c3b0d93589b129d984e54dc9e98c23ea0954d6cd5c4074c73763eec3ba98e88a114bc4ce1981065b674af33fbda37df2e813991b7f3552

Download Submit
memory/1720-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2472-51-0x000000002F8E1000-0x000000002F8E2000-memory.dmp

Filesize
4KB

Download
memory/2472-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2472-53-0x000000007114D000-0x0000000071158000-memory.dmp

Filesize
44KB

Download
memory/2472-83-0x000000007114D000-0x0000000071158000-memory.dmp

Filesize
44KB

Download
memory/2472-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download