013da5167020b9b0f3cab44679a3a98a0dfa6a28e52eeba78dd67943c150d439

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2474e474184dc0ef872c30a9544ff0b5.exe
Size

512KB
MD5

2474e474184dc0ef872c30a9544ff0b5
SHA1

47d4bbab9673bf1c00c21d96f09cfc781fac8c57
SHA256

013da5167020b9b0f3cab44679a3a98a0dfa6a28e52eeba78dd67943c150d439
SHA512

12e640ad6a8956f18fb3fec657e6d3425893edb0bbac1aacbf88e4061cfb1c6f3832e2855c2218859720bae16863320a47513271cf2abd7cb15d37bd9ca0c73f
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6N:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm52

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	shaqkwwaui.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	shaqkwwaui.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	shaqkwwaui.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	shaqkwwaui.exe

Executes dropped EXE 5 IoCs

pid	Process
2748	shaqkwwaui.exe
2876	caylpeuanlspgge.exe
2916	zrliuzit.exe
2716	qspfsfbeoaghb.exe
1388	zrliuzit.exe

Loads dropped DLL 5 IoCs

pid	Process
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2748	shaqkwwaui.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	shaqkwwaui.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bzvqatoj = "shaqkwwaui.exe"	caylpeuanlspgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cjxdtydk = "caylpeuanlspgge.exe"	caylpeuanlspgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qspfsfbeoaghb.exe"	caylpeuanlspgge.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	zrliuzit.exe
File opened (read-only)	\??\l:	shaqkwwaui.exe
File opened (read-only)	\??\m:	shaqkwwaui.exe
File opened (read-only)	\??\r:	shaqkwwaui.exe
File opened (read-only)	\??\g:	zrliuzit.exe
File opened (read-only)	\??\n:	zrliuzit.exe
File opened (read-only)	\??\p:	zrliuzit.exe
File opened (read-only)	\??\q:	zrliuzit.exe
File opened (read-only)	\??\w:	zrliuzit.exe
File opened (read-only)	\??\w:	shaqkwwaui.exe
File opened (read-only)	\??\x:	shaqkwwaui.exe
File opened (read-only)	\??\m:	zrliuzit.exe
File opened (read-only)	\??\s:	zrliuzit.exe
File opened (read-only)	\??\o:	shaqkwwaui.exe
File opened (read-only)	\??\v:	shaqkwwaui.exe
File opened (read-only)	\??\g:	zrliuzit.exe
File opened (read-only)	\??\r:	zrliuzit.exe
File opened (read-only)	\??\s:	shaqkwwaui.exe
File opened (read-only)	\??\z:	shaqkwwaui.exe
File opened (read-only)	\??\l:	zrliuzit.exe
File opened (read-only)	\??\n:	zrliuzit.exe
File opened (read-only)	\??\h:	zrliuzit.exe
File opened (read-only)	\??\n:	shaqkwwaui.exe
File opened (read-only)	\??\e:	zrliuzit.exe
File opened (read-only)	\??\r:	zrliuzit.exe
File opened (read-only)	\??\a:	zrliuzit.exe
File opened (read-only)	\??\k:	zrliuzit.exe
File opened (read-only)	\??\w:	zrliuzit.exe
File opened (read-only)	\??\h:	zrliuzit.exe
File opened (read-only)	\??\a:	shaqkwwaui.exe
File opened (read-only)	\??\t:	zrliuzit.exe
File opened (read-only)	\??\s:	zrliuzit.exe
File opened (read-only)	\??\x:	zrliuzit.exe
File opened (read-only)	\??\m:	zrliuzit.exe
File opened (read-only)	\??\y:	zrliuzit.exe
File opened (read-only)	\??\u:	shaqkwwaui.exe
File opened (read-only)	\??\q:	zrliuzit.exe
File opened (read-only)	\??\x:	zrliuzit.exe
File opened (read-only)	\??\y:	zrliuzit.exe
File opened (read-only)	\??\l:	zrliuzit.exe
File opened (read-only)	\??\u:	zrliuzit.exe
File opened (read-only)	\??\z:	zrliuzit.exe
File opened (read-only)	\??\b:	zrliuzit.exe
File opened (read-only)	\??\t:	shaqkwwaui.exe
File opened (read-only)	\??\i:	zrliuzit.exe
File opened (read-only)	\??\h:	shaqkwwaui.exe
File opened (read-only)	\??\j:	shaqkwwaui.exe
File opened (read-only)	\??\k:	zrliuzit.exe
File opened (read-only)	\??\i:	zrliuzit.exe
File opened (read-only)	\??\o:	zrliuzit.exe
File opened (read-only)	\??\b:	shaqkwwaui.exe
File opened (read-only)	\??\q:	shaqkwwaui.exe
File opened (read-only)	\??\b:	zrliuzit.exe
File opened (read-only)	\??\o:	zrliuzit.exe
File opened (read-only)	\??\v:	zrliuzit.exe
File opened (read-only)	\??\j:	zrliuzit.exe
File opened (read-only)	\??\z:	zrliuzit.exe
File opened (read-only)	\??\g:	shaqkwwaui.exe
File opened (read-only)	\??\e:	zrliuzit.exe
File opened (read-only)	\??\v:	zrliuzit.exe
File opened (read-only)	\??\j:	zrliuzit.exe
File opened (read-only)	\??\e:	shaqkwwaui.exe
File opened (read-only)	\??\i:	shaqkwwaui.exe
File opened (read-only)	\??\k:	shaqkwwaui.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	shaqkwwaui.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	shaqkwwaui.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2408-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122c5-5.dat	autoit_exe
behavioral1/files/0x000a000000012253-17.dat	autoit_exe
behavioral1/files/0x000a000000012253-26.dat	autoit_exe
behavioral1/files/0x003000000001421a-29.dat	autoit_exe
behavioral1/files/0x00070000000142f4-39.dat	autoit_exe
behavioral1/files/0x00070000000142f4-41.dat	autoit_exe
behavioral1/files/0x00070000000142f4-35.dat	autoit_exe
behavioral1/files/0x003000000001421a-34.dat	autoit_exe
behavioral1/files/0x000d0000000122c5-28.dat	autoit_exe
behavioral1/files/0x000d0000000122c5-25.dat	autoit_exe
behavioral1/files/0x000d0000000122c5-22.dat	autoit_exe
behavioral1/files/0x000a000000012253-20.dat	autoit_exe
behavioral1/files/0x0006000000015c5a-66.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shaqkwwaui.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File created	C:\Windows\SysWOW64\caylpeuanlspgge.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File created	C:\Windows\SysWOW64\zrliuzit.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File opened for modification	C:\Windows\SysWOW64\zrliuzit.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File created	C:\Windows\SysWOW64\shaqkwwaui.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File opened for modification	C:\Windows\SysWOW64\caylpeuanlspgge.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File created	C:\Windows\SysWOW64\qspfsfbeoaghb.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File opened for modification	C:\Windows\SysWOW64\qspfsfbeoaghb.exe	2474e474184dc0ef872c30a9544ff0b5.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	shaqkwwaui.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zrliuzit.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zrliuzit.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zrliuzit.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zrliuzit.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zrliuzit.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zrliuzit.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zrliuzit.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zrliuzit.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zrliuzit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	2474e474184dc0ef872c30a9544ff0b5.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F368C6FF1D22D9D208D1D18A0F9160"	2474e474184dc0ef872c30a9544ff0b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	shaqkwwaui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	shaqkwwaui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	shaqkwwaui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	shaqkwwaui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	shaqkwwaui.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	shaqkwwaui.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2600	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
1388	zrliuzit.exe
1388	zrliuzit.exe
1388	zrliuzit.exe
1388	zrliuzit.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2876	caylpeuanlspgge.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
1388	zrliuzit.exe
1388	zrliuzit.exe
1388	zrliuzit.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2408	2474e474184dc0ef872c30a9544ff0b5.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2748	shaqkwwaui.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2876	caylpeuanlspgge.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2916	zrliuzit.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
2716	qspfsfbeoaghb.exe
1388	zrliuzit.exe
1388	zrliuzit.exe
1388	zrliuzit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2600	WINWORD.EXE
2600	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2748	2408	2474e474184dc0ef872c30a9544ff0b5.exe	21
PID 2408 wrote to memory of 2748	2408	2474e474184dc0ef872c30a9544ff0b5.exe	21
PID 2408 wrote to memory of 2748	2408	2474e474184dc0ef872c30a9544ff0b5.exe	21
PID 2408 wrote to memory of 2748	2408	2474e474184dc0ef872c30a9544ff0b5.exe	21
PID 2408 wrote to memory of 2876	2408	2474e474184dc0ef872c30a9544ff0b5.exe	29
PID 2408 wrote to memory of 2876	2408	2474e474184dc0ef872c30a9544ff0b5.exe	29
PID 2408 wrote to memory of 2876	2408	2474e474184dc0ef872c30a9544ff0b5.exe	29
PID 2408 wrote to memory of 2876	2408	2474e474184dc0ef872c30a9544ff0b5.exe	29
PID 2408 wrote to memory of 2916	2408	2474e474184dc0ef872c30a9544ff0b5.exe	28
PID 2408 wrote to memory of 2916	2408	2474e474184dc0ef872c30a9544ff0b5.exe	28
PID 2408 wrote to memory of 2916	2408	2474e474184dc0ef872c30a9544ff0b5.exe	28
PID 2408 wrote to memory of 2916	2408	2474e474184dc0ef872c30a9544ff0b5.exe	28
PID 2408 wrote to memory of 2716	2408	2474e474184dc0ef872c30a9544ff0b5.exe	27
PID 2408 wrote to memory of 2716	2408	2474e474184dc0ef872c30a9544ff0b5.exe	27
PID 2408 wrote to memory of 2716	2408	2474e474184dc0ef872c30a9544ff0b5.exe	27
PID 2408 wrote to memory of 2716	2408	2474e474184dc0ef872c30a9544ff0b5.exe	27
PID 2876 wrote to memory of 2620	2876	caylpeuanlspgge.exe	26
PID 2876 wrote to memory of 2620	2876	caylpeuanlspgge.exe	26
PID 2876 wrote to memory of 2620	2876	caylpeuanlspgge.exe	26
PID 2876 wrote to memory of 2620	2876	caylpeuanlspgge.exe	26
PID 2748 wrote to memory of 1388	2748	shaqkwwaui.exe	35
PID 2748 wrote to memory of 1388	2748	shaqkwwaui.exe	35
PID 2748 wrote to memory of 1388	2748	shaqkwwaui.exe	35
PID 2748 wrote to memory of 1388	2748	shaqkwwaui.exe	35
PID 2408 wrote to memory of 2600	2408	2474e474184dc0ef872c30a9544ff0b5.exe	34
PID 2408 wrote to memory of 2600	2408	2474e474184dc0ef872c30a9544ff0b5.exe	34
PID 2408 wrote to memory of 2600	2408	2474e474184dc0ef872c30a9544ff0b5.exe	34
PID 2408 wrote to memory of 2600	2408	2474e474184dc0ef872c30a9544ff0b5.exe	34
PID 2600 wrote to memory of 2668	2600	WINWORD.EXE	39
PID 2600 wrote to memory of 2668	2600	WINWORD.EXE	39
PID 2600 wrote to memory of 2668	2600	WINWORD.EXE	39
PID 2600 wrote to memory of 2668	2600	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\2474e474184dc0ef872c30a9544ff0b5.exe
"C:\Users\Admin\AppData\Local\Temp\2474e474184dc0ef872c30a9544ff0b5.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\shaqkwwaui.exe
  shaqkwwaui.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\zrliuzit.exe
    C:\Windows\system32\zrliuzit.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1388
- C:\Windows\SysWOW64\qspfsfbeoaghb.exe
  qspfsfbeoaghb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2716
- C:\Windows\SysWOW64\zrliuzit.exe
  zrliuzit.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2916
- C:\Windows\SysWOW64\caylpeuanlspgge.exe
  caylpeuanlspgge.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2876
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c qspfsfbeoaghb.exe
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
41KB

MD5
db1d49df836b2050a3f4b45c35ad5c9b

SHA1
9be5bf02dcb7f2fd63956a64de93dc6a65fedf9a

SHA256
a9d0fd35505fda911c8016e95fa0fa29c8708efdab52705f9682b2961d84a630

SHA512
125e1f6500202e58f9cb6a29131e1f4eff2920f52fd3e6a8d3886d2565d14908079971bc6427e441537097aa88ba0b0ffb6d15a75b2d1cfb6dda5ad03ff61be8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
bf0291e333cb470a19565b19f61a9974

SHA1
d47211aa1b664b3bf36bae8a3b841a069801617d

SHA256
a1543dfa7c1283d6a6cbbd48be65e4c7b47939c755533f9e75d00a803b43c508

SHA512
c3a282d0cc94f00f4adcd40e11f7fbc08f934ad6c61056c9eeb17b00a2ce602009316f93d88e341e5741b78e409c4919ce155ae1018f76f2a85a98c99599f797

Download Submit
C:\Windows\SysWOW64\caylpeuanlspgge.exe

Filesize
1KB

MD5
c99294580b2d7a1773c8e92c1a2a984e

SHA1
9d8c630dbec204bbcad21e43e54cd51c96dff339

SHA256
45f9bbb7dd10b91102c01a28dcdbd3b288e67a00d7ca489a5daa47620b99d60b

SHA512
9cc472aa95555a51a58b26dbf910e75adf6bb44c55b746f20a4e41006033de63198e24051c1ed98d05d4dd7704830ce6f4bf75fa4cf07947458fb24296525d0c

Download Submit
C:\Windows\SysWOW64\caylpeuanlspgge.exe

Filesize
8KB

MD5
ed3a38ffb45743d09c54e500422d12e7

SHA1
5fc099fa546b913ac6b1b56182a61d1a4e55170e

SHA256
c423dd1b2843c0238eac7cb1a9a432970bbc1099604501ad470afd5c4b9b80c1

SHA512
3d041e75953dca84b1c8bda8b45a811744a187e8bbb4dd7db52a36f14b3a3929c733603754914ade62bd7b0c16d084c0ffbf5e323149446f7f67fb4ddea741ad

Download Submit
C:\Windows\SysWOW64\caylpeuanlspgge.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
C:\Windows\SysWOW64\qspfsfbeoaghb.exe

Filesize
2KB

MD5
f8d64fbc319cb58315b645e476ab77f9

SHA1
db35f786a78ef8f206424d594c90ade339b62931

SHA256
58facb95e3bed902972446b15300f57f25ad43739ef0999e6778a1d76eee915d

SHA512
f6bd89fe954e75447753d2bce6c3c9c1b31e67e4d224414f48f40255d285c4cfc9a35db41a62f837314fcc6a450239de88b71307a202b940779214447a67ebfc

Download Submit
C:\Windows\SysWOW64\qspfsfbeoaghb.exe

Filesize
44KB

MD5
7c95d55b49d7b65e2d9930c2148ade47

SHA1
7100840fe2d22580a144eb35d5a2e6310e22a980

SHA256
b3202996286b2892020df86070fc52f2447b303632c0e315d5538496099f5f97

SHA512
f4f8963f95a5aa345ca04be6459c721dc48891660269472a3d131b37658f39b52dc9fdba30ff3c0f168b55b8d072bc54fdcee4f654931da18e13b4446c1ffc5f

Download Submit
C:\Windows\SysWOW64\shaqkwwaui.exe

Filesize
26KB

MD5
9aec300dbd7b6a624dd935a600cf5d52

SHA1
4c1e872b32a8e086da932cfd7de22ea4cfbe8a32

SHA256
490f5642bd139fceab6f700c17ebd3379b4511154f105fff3ce98399a52fba9f

SHA512
8230d2dfcdfc9c485358579e3515e1e151f9be5693a5ee9bc403362c3b3162c67adff720f9106c9bb0ffe1b0051fd84da68d15bafc01e3ed063acafd2373c44d

Download Submit
C:\Windows\SysWOW64\shaqkwwaui.exe

Filesize
20KB

MD5
058c76313564f1decd6c4097996b73cd

SHA1
2535dc85156dc26df0a42a81bd2f0aed009bd15c

SHA256
4b6c463fa6ca061e857ba7dae0dfafc2208d20e0e30903bb6bcf6d394b0b7ca3

SHA512
a52b389a8e86393e0b5eb3412f53700c51b54ed58698c093007f51add7b2d1d7f9c3c1b69c6cf0b6206b807f3c835e0ca0aa7d353597ff170a000c6452565074

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\caylpeuanlspgge.exe

Filesize
9KB

MD5
6e54e8a19c4c9e1563f4115119d69ce7

SHA1
6f07cccf36a47285b320226ffa190f1bd5b6c9ac

SHA256
27abddb07f42fdb28280677233a4ac128b774c920c9cb7a071ac129ddabf142b

SHA512
835f592cee5610de996cc0dda3f25160d5813f582c510f7cc6853f5b41028dcbe074bacedd848c2d201053867b6052036de035000febed19133032bbecb5fdc7

Download Submit
\Windows\SysWOW64\qspfsfbeoaghb.exe

Filesize
22KB

MD5
ec49bfe898350b619ac10a833e14e8a5

SHA1
cefae9e88713f4c43706a372dab8a4726273aec5

SHA256
f632a0dc850b5c396d7088d88b80620cf4a1c74401808f9f1d9618a2ee2cad7e

SHA512
e94c0c597ce97882f4b24e955b0413c00279156b955d44d1039b40fd993af894cb1f709176c02a9a94561da362d5f7009925ce36ce9b926473c63ff14fedddf5

Download Submit
\Windows\SysWOW64\shaqkwwaui.exe

Filesize
40KB

MD5
02cb0d3ce297e66eba3a7b9b205fe7d3

SHA1
4e06f0b84a28fb102a7320904fa7aa4e213c6300

SHA256
9fdfe4267a41333f8766ef5a82cd2f84312458cd7193f15215ed60088d2680c5

SHA512
a6e09f5d1de21591e39c94de2776dac648660d8be85d96e29645a8dfe57103672d4e651422ebf2b45c2538ee5ec2ab692b2362c05656832d484e08127308802b

Download Submit
\Windows\SysWOW64\zrliuzit.exe

Filesize
8KB

MD5
14a50fc7036da94ab3179d762d1f1e1f

SHA1
5903f69f9107bd94006e8c8d38293bd7b1abe7f4

SHA256
cfb9be7bd03e50147f7c2c34db0550f791a63149c9e3af853fe54df5cdf593a8

SHA512
e624b7c072fa91a01868aaeebee58cca78589d33a4ff1d70c211613c57437326e784bb98dc3fb578bc3b75e8c44e2928dd3395d0dfaf7587861e26e7dbeefeb1

Download Submit
memory/2408-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2600-47-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2600-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2600-76-0x00000000710FD000-0x0000000071108000-memory.dmp

Filesize
44KB

Download
memory/2600-45-0x000000002FC51000-0x000000002FC52000-memory.dmp

Filesize
4KB

Download
memory/2600-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download