1adcf3655481103f075d482b6ed17c6544da44cb7eb486223f7bfcd777178ab3

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7275c4f3b872ee1d583727624dbd043b.exe
Size

512KB
MD5

7275c4f3b872ee1d583727624dbd043b
SHA1

e2739fd3d118d7cb76d9aa11ca146fba08b10d5e
SHA256

1adcf3655481103f075d482b6ed17c6544da44cb7eb486223f7bfcd777178ab3
SHA512

082ae250534c033f94e5ede6d7e330d4dd5b96d4140afcae0b3aa756c737714e8e471d21755a424c5fdc8a78e0da3d6cc448deb95ecad1cadcfade43a3a3f06d
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	rzxzhverlu.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	rzxzhverlu.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rzxzhverlu.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	rzxzhverlu.exe

Executes dropped EXE 5 IoCs

pid	Process
2388	rzxzhverlu.exe
2308	xyfszwaq.exe
2016	sodqvugcaztojmi.exe
2672	dyaelgucohpgs.exe
2464	xyfszwaq.exe

Loads dropped DLL 5 IoCs

pid	Process
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2388	rzxzhverlu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	rzxzhverlu.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\fpdojxeu = "rzxzhverlu.exe"	sodqvugcaztojmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\klrudikv = "sodqvugcaztojmi.exe"	sodqvugcaztojmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "dyaelgucohpgs.exe"	sodqvugcaztojmi.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	xyfszwaq.exe
File opened (read-only)	\??\s:	rzxzhverlu.exe
File opened (read-only)	\??\n:	xyfszwaq.exe
File opened (read-only)	\??\i:	xyfszwaq.exe
File opened (read-only)	\??\v:	rzxzhverlu.exe
File opened (read-only)	\??\x:	rzxzhverlu.exe
File opened (read-only)	\??\j:	xyfszwaq.exe
File opened (read-only)	\??\n:	xyfszwaq.exe
File opened (read-only)	\??\b:	rzxzhverlu.exe
File opened (read-only)	\??\i:	rzxzhverlu.exe
File opened (read-only)	\??\l:	rzxzhverlu.exe
File opened (read-only)	\??\h:	rzxzhverlu.exe
File opened (read-only)	\??\p:	rzxzhverlu.exe
File opened (read-only)	\??\v:	xyfszwaq.exe
File opened (read-only)	\??\o:	xyfszwaq.exe
File opened (read-only)	\??\u:	xyfszwaq.exe
File opened (read-only)	\??\v:	xyfszwaq.exe
File opened (read-only)	\??\x:	xyfszwaq.exe
File opened (read-only)	\??\b:	xyfszwaq.exe
File opened (read-only)	\??\o:	xyfszwaq.exe
File opened (read-only)	\??\q:	xyfszwaq.exe
File opened (read-only)	\??\m:	xyfszwaq.exe
File opened (read-only)	\??\a:	xyfszwaq.exe
File opened (read-only)	\??\b:	xyfszwaq.exe
File opened (read-only)	\??\l:	xyfszwaq.exe
File opened (read-only)	\??\t:	xyfszwaq.exe
File opened (read-only)	\??\w:	rzxzhverlu.exe
File opened (read-only)	\??\t:	xyfszwaq.exe
File opened (read-only)	\??\w:	xyfszwaq.exe
File opened (read-only)	\??\r:	xyfszwaq.exe
File opened (read-only)	\??\x:	xyfszwaq.exe
File opened (read-only)	\??\e:	xyfszwaq.exe
File opened (read-only)	\??\m:	xyfszwaq.exe
File opened (read-only)	\??\y:	rzxzhverlu.exe
File opened (read-only)	\??\z:	rzxzhverlu.exe
File opened (read-only)	\??\s:	xyfszwaq.exe
File opened (read-only)	\??\p:	xyfszwaq.exe
File opened (read-only)	\??\u:	xyfszwaq.exe
File opened (read-only)	\??\z:	xyfszwaq.exe
File opened (read-only)	\??\h:	xyfszwaq.exe
File opened (read-only)	\??\k:	rzxzhverlu.exe
File opened (read-only)	\??\o:	rzxzhverlu.exe
File opened (read-only)	\??\i:	xyfszwaq.exe
File opened (read-only)	\??\r:	xyfszwaq.exe
File opened (read-only)	\??\z:	xyfszwaq.exe
File opened (read-only)	\??\g:	rzxzhverlu.exe
File opened (read-only)	\??\n:	rzxzhverlu.exe
File opened (read-only)	\??\e:	xyfszwaq.exe
File opened (read-only)	\??\t:	rzxzhverlu.exe
File opened (read-only)	\??\g:	xyfszwaq.exe
File opened (read-only)	\??\e:	rzxzhverlu.exe
File opened (read-only)	\??\r:	rzxzhverlu.exe
File opened (read-only)	\??\a:	xyfszwaq.exe
File opened (read-only)	\??\s:	xyfszwaq.exe
File opened (read-only)	\??\m:	rzxzhverlu.exe
File opened (read-only)	\??\q:	rzxzhverlu.exe
File opened (read-only)	\??\y:	xyfszwaq.exe
File opened (read-only)	\??\w:	xyfszwaq.exe
File opened (read-only)	\??\y:	xyfszwaq.exe
File opened (read-only)	\??\h:	xyfszwaq.exe
File opened (read-only)	\??\j:	xyfszwaq.exe
File opened (read-only)	\??\k:	xyfszwaq.exe
File opened (read-only)	\??\g:	xyfszwaq.exe
File opened (read-only)	\??\l:	xyfszwaq.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	rzxzhverlu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rzxzhverlu.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000014b64-5.dat	autoit_exe
behavioral1/files/0x0009000000014a5b-17.dat	autoit_exe
behavioral1/files/0x000900000001560b-26.dat	autoit_exe
behavioral1/files/0x0007000000015c52-33.dat	autoit_exe
behavioral1/files/0x00060000000160f5-69.dat	autoit_exe
behavioral1/files/0x0006000000016417-79.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sodqvugcaztojmi.exe	7275c4f3b872ee1d583727624dbd043b.exe
File opened for modification	C:\Windows\SysWOW64\xyfszwaq.exe	7275c4f3b872ee1d583727624dbd043b.exe
File created	C:\Windows\SysWOW64\xyfszwaq.exe	7275c4f3b872ee1d583727624dbd043b.exe
File created	C:\Windows\SysWOW64\dyaelgucohpgs.exe	7275c4f3b872ee1d583727624dbd043b.exe
File opened for modification	C:\Windows\SysWOW64\dyaelgucohpgs.exe	7275c4f3b872ee1d583727624dbd043b.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	rzxzhverlu.exe
File created	C:\Windows\SysWOW64\rzxzhverlu.exe	7275c4f3b872ee1d583727624dbd043b.exe
File opened for modification	C:\Windows\SysWOW64\rzxzhverlu.exe	7275c4f3b872ee1d583727624dbd043b.exe
File opened for modification	C:\Windows\SysWOW64\sodqvugcaztojmi.exe	7275c4f3b872ee1d583727624dbd043b.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xyfszwaq.exe
File opened for modification	\??\c:\Program Files\OutClose.doc.exe	xyfszwaq.exe
File opened for modification	C:\Program Files\OutClose.doc.exe	xyfszwaq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xyfszwaq.exe
File created	\??\c:\Program Files\OutClose.doc.exe	xyfszwaq.exe
File opened for modification	C:\Program Files\OutClose.doc.exe	xyfszwaq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xyfszwaq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xyfszwaq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xyfszwaq.exe
File opened for modification	C:\Program Files\OutClose.nal	xyfszwaq.exe
File opened for modification	C:\Program Files\OutClose.nal	xyfszwaq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xyfszwaq.exe
File opened for modification	\??\c:\Program Files\OutClose.doc.exe	xyfszwaq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xyfszwaq.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	7275c4f3b872ee1d583727624dbd043b.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	rzxzhverlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC67D14E0DBBEB8C07C92ED9537CF"	7275c4f3b872ee1d583727624dbd043b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	rzxzhverlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	rzxzhverlu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	rzxzhverlu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABBF910F298840F3A44869C3992B08E03FE42130349E1C442ED08A3"	7275c4f3b872ee1d583727624dbd043b.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	7275c4f3b872ee1d583727624dbd043b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2196	7275c4f3b872ee1d583727624dbd043b.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2388	rzxzhverlu.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2308	xyfszwaq.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2016	sodqvugcaztojmi.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe
2464	xyfszwaq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2616	WINWORD.EXE
2616	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2388	2196	7275c4f3b872ee1d583727624dbd043b.exe	28
PID 2196 wrote to memory of 2388	2196	7275c4f3b872ee1d583727624dbd043b.exe	28
PID 2196 wrote to memory of 2388	2196	7275c4f3b872ee1d583727624dbd043b.exe	28
PID 2196 wrote to memory of 2388	2196	7275c4f3b872ee1d583727624dbd043b.exe	28
PID 2196 wrote to memory of 2016	2196	7275c4f3b872ee1d583727624dbd043b.exe	29
PID 2196 wrote to memory of 2016	2196	7275c4f3b872ee1d583727624dbd043b.exe	29
PID 2196 wrote to memory of 2016	2196	7275c4f3b872ee1d583727624dbd043b.exe	29
PID 2196 wrote to memory of 2016	2196	7275c4f3b872ee1d583727624dbd043b.exe	29
PID 2196 wrote to memory of 2308	2196	7275c4f3b872ee1d583727624dbd043b.exe	30
PID 2196 wrote to memory of 2308	2196	7275c4f3b872ee1d583727624dbd043b.exe	30
PID 2196 wrote to memory of 2308	2196	7275c4f3b872ee1d583727624dbd043b.exe	30
PID 2196 wrote to memory of 2308	2196	7275c4f3b872ee1d583727624dbd043b.exe	30
PID 2196 wrote to memory of 2672	2196	7275c4f3b872ee1d583727624dbd043b.exe	31
PID 2196 wrote to memory of 2672	2196	7275c4f3b872ee1d583727624dbd043b.exe	31
PID 2196 wrote to memory of 2672	2196	7275c4f3b872ee1d583727624dbd043b.exe	31
PID 2196 wrote to memory of 2672	2196	7275c4f3b872ee1d583727624dbd043b.exe	31
PID 2388 wrote to memory of 2464	2388	rzxzhverlu.exe	33
PID 2388 wrote to memory of 2464	2388	rzxzhverlu.exe	33
PID 2388 wrote to memory of 2464	2388	rzxzhverlu.exe	33
PID 2388 wrote to memory of 2464	2388	rzxzhverlu.exe	33
PID 2196 wrote to memory of 2616	2196	7275c4f3b872ee1d583727624dbd043b.exe	32
PID 2196 wrote to memory of 2616	2196	7275c4f3b872ee1d583727624dbd043b.exe	32
PID 2196 wrote to memory of 2616	2196	7275c4f3b872ee1d583727624dbd043b.exe	32
PID 2196 wrote to memory of 2616	2196	7275c4f3b872ee1d583727624dbd043b.exe	32
PID 2616 wrote to memory of 2836	2616	WINWORD.EXE	36
PID 2616 wrote to memory of 2836	2616	WINWORD.EXE	36
PID 2616 wrote to memory of 2836	2616	WINWORD.EXE	36
PID 2616 wrote to memory of 2836	2616	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\7275c4f3b872ee1d583727624dbd043b.exe
"C:\Users\Admin\AppData\Local\Temp\7275c4f3b872ee1d583727624dbd043b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\rzxzhverlu.exe
  rzxzhverlu.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\xyfszwaq.exe
    C:\Windows\system32\xyfszwaq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2464
- C:\Windows\SysWOW64\sodqvugcaztojmi.exe
  sodqvugcaztojmi.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2016
- C:\Windows\SysWOW64\xyfszwaq.exe
  xyfszwaq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2308
- C:\Windows\SysWOW64\dyaelgucohpgs.exe
  dyaelgucohpgs.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
f7b5edea1bf07ec1a1be15fc2926165b

SHA1
9cda8887308806c7816e36ff9eab6a4b3e85d7b8

SHA256
657854f720db634af13b45e2081d551f10628e2184f4701f72afdd73d61f27c8

SHA512
836748b78a784588ef1e04325197dfeb5fe3351d8a0ff9aeaa6927244e4741dd3c560bbc7f45233e0cc64f39a621ec6da7768585b67dd9746018da25b093ea21

Download Submit
C:\Program Files\OutClose.doc.exe

Filesize
512KB

MD5
dbe73d16b2387c2d6d6ab8b150e91510

SHA1
33d706e47eab45b0e5730937b0591e51bafd9df3

SHA256
38b3751745237afe1c334a8e795a95aef7779f25a69d7ba5ae4441aa4ea7ab92

SHA512
5affb1c3d0249dddf8eb6220d228bf7910a0d114ca0943ea6413c3b3e40b1e5da79f35cdcac428f3f3777cac0ffa9097adb1d6191a3c222a20c0666170ad01b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
68B

MD5
a7a27f88ffa7ba40afd17e042b065a4d

SHA1
d028c90587d6fac87f178763ee5e5b6f9ccca6a8

SHA256
0977b07b4ed91356dbf3196df19840611ba6d8cdef7c294bf74bcb03c45f406d

SHA512
fb003649d7261005b8d2315d022e44b9377d17409183471718da3b05853714f0ce569de8d595a85ef7879a6ebbdaeded8e813d5cb486e3f411168f25b717d9dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0e0c62a72da7b5df052e49afd74860af

SHA1
8e880ce489d306be5b3e0bca705391b70133a57f

SHA256
3cd56e36a892cfb4893b2d1508e3c6e1947c87a2648eff8cfaf971d77f0cfafb

SHA512
4e2b30422455cdfb3d3c2667e8d00e1e68a2a479bad2c711a069121731563d8d141e14ebb0d9d057aa6fe4dd8be6e0a840ae50e4ed15380faef4ff8dc3a924c8

Download Submit
C:\Windows\SysWOW64\sodqvugcaztojmi.exe

Filesize
512KB

MD5
678e97f01f51b064c49d81faa111594d

SHA1
cbe19ba8d2d9472c04d9e6bb725c03c0617ef44d

SHA256
1787baf408a522564df24e0c3720e6aca932f14f6a78faa5cfa36ddb49beb855

SHA512
026ae6f8bbf021b621a4fad7883afc13b081a4ca89d23979947e60ea1d0a6bf955f8b5402c72d862a80f51f65847bb3401aec7b95de9b9136222edfc7532b396

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\dyaelgucohpgs.exe

Filesize
512KB

MD5
ae3ef9c7bcf591bf7126c661d7d6b5d6

SHA1
6b3d6f8ec77c1a0844d900f57ad0591b61f32e7c

SHA256
44e853d852839431e1fbdee147c928096abd670df86a7c3109e68e50fe919cdf

SHA512
7d0212bb17267de30b7713f1d768ab7efff1d77234c80f12dfc1b44e8a39410ba53fb10dec07ded667ffc1cf7a665b02ac3591f056e373e8a218a1516ba0b080

Download Submit
\Windows\SysWOW64\rzxzhverlu.exe

Filesize
512KB

MD5
62a857d86ed806f2e84bd2211db77e1a

SHA1
7a966be2bd66ab2ccc8d46c6796ce4450b57e08c

SHA256
9091c21bf6587872d112ca39ef18ba4e93b0f6e1109a89e3639a128e30c9b99b

SHA512
5444e938271bb1f6d49625cb8b8796a1342ad0e6c95cd6fc4059a0c59f792d563a79c4b98700f7efcecc33e0ac124bfa19b114474bfa3c06d9a5c1e8005ffd2a

Download Submit
\Windows\SysWOW64\xyfszwaq.exe

Filesize
512KB

MD5
1ec3af54eaaf34fcfdf630cb9ae94ff8

SHA1
32367560a804e10ded718bb8edfa58eb01a558ef

SHA256
42c7699f631a7038617ba6821e063e47bc0609076d8fa98f5ca79e6d5bfd3a46

SHA512
111dd0cf15a6360655292bdf15fa3cb355ed097bfdad8741e88e85885a8e663229f723cbbb35d090cb37a18cfd13471fd69e918cef4888d7b9119cd46578ae20

Download Submit
memory/2196-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2616-46-0x0000000070DAD000-0x0000000070DB8000-memory.dmp

Filesize
44KB

Download
memory/2616-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-44-0x000000002FC81000-0x000000002FC82000-memory.dmp

Filesize
4KB

Download
memory/2616-86-0x0000000070DAD000-0x0000000070DB8000-memory.dmp

Filesize
44KB

Download
memory/2616-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download