6148091e925f575ac4977fc4120455f5269dcabcc850997b55dd0f7dc2567662

Analysis

max time kernel
181s
max time network
61s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39faf8ddc75b4758a1a35b1c3841a776.exe
Size

512KB
MD5

39faf8ddc75b4758a1a35b1c3841a776
SHA1

c1909d6b03d78abc536fd19c6c083a92a6c4a2d2
SHA256

6148091e925f575ac4977fc4120455f5269dcabcc850997b55dd0f7dc2567662
SHA512

de906f80ebcf32659b2bf48ed3d6e08a37f319cfeabca3148fae21394e66e2d4b9dc86ceb1537d41cd6493ea7d21a3fbb960428e9692fd57f22880dcfc65eb0a
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm58

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	yxxgprzpoj.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yxxgprzpoj.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yxxgprzpoj.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yxxgprzpoj.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2560	yxxgprzpoj.exe
2592	jlyyquuupugjnzc.exe
2604	aldnjasd.exe
240	ivkftzubepwwt.exe
2864	aldnjasd.exe

Loads dropped DLL 5 IoCs

pid	Process
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2560	yxxgprzpoj.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yxxgprzpoj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xeymjlqf = "yxxgprzpoj.exe"	jlyyquuupugjnzc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yxxddiys = "jlyyquuupugjnzc.exe"	jlyyquuupugjnzc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ivkftzubepwwt.exe"	jlyyquuupugjnzc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	aldnjasd.exe
File opened (read-only)	\??\v:	aldnjasd.exe
File opened (read-only)	\??\u:	yxxgprzpoj.exe
File opened (read-only)	\??\v:	yxxgprzpoj.exe
File opened (read-only)	\??\i:	aldnjasd.exe
File opened (read-only)	\??\o:	aldnjasd.exe
File opened (read-only)	\??\w:	aldnjasd.exe
File opened (read-only)	\??\y:	yxxgprzpoj.exe
File opened (read-only)	\??\j:	aldnjasd.exe
File opened (read-only)	\??\s:	aldnjasd.exe
File opened (read-only)	\??\a:	aldnjasd.exe
File opened (read-only)	\??\b:	aldnjasd.exe
File opened (read-only)	\??\a:	yxxgprzpoj.exe
File opened (read-only)	\??\l:	yxxgprzpoj.exe
File opened (read-only)	\??\o:	aldnjasd.exe
File opened (read-only)	\??\q:	aldnjasd.exe
File opened (read-only)	\??\g:	aldnjasd.exe
File opened (read-only)	\??\p:	aldnjasd.exe
File opened (read-only)	\??\x:	aldnjasd.exe
File opened (read-only)	\??\p:	yxxgprzpoj.exe
File opened (read-only)	\??\e:	aldnjasd.exe
File opened (read-only)	\??\i:	aldnjasd.exe
File opened (read-only)	\??\y:	aldnjasd.exe
File opened (read-only)	\??\j:	aldnjasd.exe
File opened (read-only)	\??\m:	yxxgprzpoj.exe
File opened (read-only)	\??\e:	aldnjasd.exe
File opened (read-only)	\??\l:	aldnjasd.exe
File opened (read-only)	\??\u:	aldnjasd.exe
File opened (read-only)	\??\b:	aldnjasd.exe
File opened (read-only)	\??\v:	aldnjasd.exe
File opened (read-only)	\??\k:	aldnjasd.exe
File opened (read-only)	\??\n:	aldnjasd.exe
File opened (read-only)	\??\s:	aldnjasd.exe
File opened (read-only)	\??\h:	yxxgprzpoj.exe
File opened (read-only)	\??\x:	yxxgprzpoj.exe
File opened (read-only)	\??\m:	aldnjasd.exe
File opened (read-only)	\??\t:	aldnjasd.exe
File opened (read-only)	\??\e:	yxxgprzpoj.exe
File opened (read-only)	\??\g:	yxxgprzpoj.exe
File opened (read-only)	\??\k:	aldnjasd.exe
File opened (read-only)	\??\u:	aldnjasd.exe
File opened (read-only)	\??\n:	yxxgprzpoj.exe
File opened (read-only)	\??\w:	yxxgprzpoj.exe
File opened (read-only)	\??\g:	aldnjasd.exe
File opened (read-only)	\??\n:	aldnjasd.exe
File opened (read-only)	\??\x:	aldnjasd.exe
File opened (read-only)	\??\h:	aldnjasd.exe
File opened (read-only)	\??\m:	aldnjasd.exe
File opened (read-only)	\??\r:	yxxgprzpoj.exe
File opened (read-only)	\??\h:	aldnjasd.exe
File opened (read-only)	\??\r:	aldnjasd.exe
File opened (read-only)	\??\o:	yxxgprzpoj.exe
File opened (read-only)	\??\q:	yxxgprzpoj.exe
File opened (read-only)	\??\s:	yxxgprzpoj.exe
File opened (read-only)	\??\t:	yxxgprzpoj.exe
File opened (read-only)	\??\l:	aldnjasd.exe
File opened (read-only)	\??\r:	aldnjasd.exe
File opened (read-only)	\??\b:	yxxgprzpoj.exe
File opened (read-only)	\??\a:	aldnjasd.exe
File opened (read-only)	\??\w:	aldnjasd.exe
File opened (read-only)	\??\y:	aldnjasd.exe
File opened (read-only)	\??\z:	aldnjasd.exe
File opened (read-only)	\??\k:	yxxgprzpoj.exe
File opened (read-only)	\??\z:	aldnjasd.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	yxxgprzpoj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	yxxgprzpoj.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2676-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0007000000015dc1-9.dat	autoit_exe
behavioral1/files/0x000c000000015c26-17.dat	autoit_exe
behavioral1/files/0x0031000000015c8d-21.dat	autoit_exe
behavioral1/files/0x0031000000015c8d-24.dat	autoit_exe
behavioral1/files/0x000c000000015c26-27.dat	autoit_exe
behavioral1/files/0x0007000000015dc1-28.dat	autoit_exe
behavioral1/files/0x0007000000015dc1-31.dat	autoit_exe
behavioral1/files/0x0007000000015e03-38.dat	autoit_exe
behavioral1/files/0x0007000000015e03-34.dat	autoit_exe
behavioral1/files/0x0031000000015c8d-32.dat	autoit_exe
behavioral1/files/0x0007000000015dc1-40.dat	autoit_exe
behavioral1/files/0x0007000000015e03-41.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yxxgprzpoj.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File created	C:\Windows\SysWOW64\aldnjasd.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\aldnjasd.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	yxxgprzpoj.exe
File opened for modification	C:\Windows\SysWOW64\ivkftzubepwwt.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\yxxgprzpoj.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File created	C:\Windows\SysWOW64\jlyyquuupugjnzc.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\SysWOW64\jlyyquuupugjnzc.exe	39faf8ddc75b4758a1a35b1c3841a776.exe
File created	C:\Windows\SysWOW64\ivkftzubepwwt.exe	39faf8ddc75b4758a1a35b1c3841a776.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	39faf8ddc75b4758a1a35b1c3841a776.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yxxgprzpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	yxxgprzpoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	39faf8ddc75b4758a1a35b1c3841a776.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	yxxgprzpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	yxxgprzpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFAB8FE64F290840E3A44819E3E94B38F03F143160333E1BF45EA08A9"	39faf8ddc75b4758a1a35b1c3841a776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C7791493DABFB8C07C92EC9737CA"	39faf8ddc75b4758a1a35b1c3841a776.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	yxxgprzpoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1636	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2864	aldnjasd.exe
2864	aldnjasd.exe
2864	aldnjasd.exe
2864	aldnjasd.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2592	jlyyquuupugjnzc.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe
Token: SeShutdownPrivilege	2852	explorer.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2864	aldnjasd.exe
2864	aldnjasd.exe
2864	aldnjasd.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2676	39faf8ddc75b4758a1a35b1c3841a776.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2560	yxxgprzpoj.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2592	jlyyquuupugjnzc.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
2604	aldnjasd.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
240	ivkftzubepwwt.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe
2852	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1636	WINWORD.EXE
1636	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2560	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2676 wrote to memory of 2560	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2676 wrote to memory of 2560	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2676 wrote to memory of 2560	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	29
PID 2676 wrote to memory of 2592	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	30
PID 2676 wrote to memory of 2592	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	30
PID 2676 wrote to memory of 2592	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	30
PID 2676 wrote to memory of 2592	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	30
PID 2676 wrote to memory of 2604	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	31
PID 2676 wrote to memory of 2604	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	31
PID 2676 wrote to memory of 2604	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	31
PID 2676 wrote to memory of 2604	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	31
PID 2676 wrote to memory of 240	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	32
PID 2676 wrote to memory of 240	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	32
PID 2676 wrote to memory of 240	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	32
PID 2676 wrote to memory of 240	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	32
PID 2560 wrote to memory of 2864	2560	yxxgprzpoj.exe	34
PID 2560 wrote to memory of 2864	2560	yxxgprzpoj.exe	34
PID 2560 wrote to memory of 2864	2560	yxxgprzpoj.exe	34
PID 2560 wrote to memory of 2864	2560	yxxgprzpoj.exe	34
PID 2676 wrote to memory of 1636	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	35
PID 2676 wrote to memory of 1636	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	35
PID 2676 wrote to memory of 1636	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	35
PID 2676 wrote to memory of 1636	2676	39faf8ddc75b4758a1a35b1c3841a776.exe	35
PID 1636 wrote to memory of 2876	1636	WINWORD.EXE	40
PID 1636 wrote to memory of 2876	1636	WINWORD.EXE	40
PID 1636 wrote to memory of 2876	1636	WINWORD.EXE	40
PID 1636 wrote to memory of 2876	1636	WINWORD.EXE	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe
"C:\Users\Admin\AppData\Local\Temp\39faf8ddc75b4758a1a35b1c3841a776.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\yxxgprzpoj.exe
  yxxgprzpoj.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\aldnjasd.exe
    C:\Windows\system32\aldnjasd.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2864
- C:\Windows\SysWOW64\jlyyquuupugjnzc.exe
  jlyyquuupugjnzc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2592
- C:\Windows\SysWOW64\aldnjasd.exe
  aldnjasd.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2604
- C:\Windows\SysWOW64\ivkftzubepwwt.exe
  ivkftzubepwwt.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:240
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2876

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aldnjasd.exe

Filesize
98KB

MD5
c837dbbf98998ed53d09157885b19e18

SHA1
0f26f4a4d028dfd9b93ca76153619d9c5bf309c9

SHA256
a73ab85840fd7e519261edaef135e706e451f0671b607f0ce934dc63205bc04b

SHA512
ceb4918e8d50201471c4496cdde0c3bb6717db66401fda529cfd1f2ffff498a25534cc46908b30b154752599843999d686c7ca0cf462b6a9ef25ca9d4b2eb504

Download Submit
C:\Windows\SysWOW64\aldnjasd.exe

Filesize
42KB

MD5
07e3b9a6fd7b9e3940b91226b51d3031

SHA1
4d70a92fce74d54da35c51fe80938f41d025ab23

SHA256
1dd9a0a808f34398e2c6ccafa6fb9ef0c62995d5213c821a4d8a8626d33c25ac

SHA512
e79d0f7ab43f18535ca9a94445cf4da5ae365b8bea42f865095e1024a330cf62a0140b7d84040a46ecec0d72d7f6a67865117146eba6dc3ae05a7ae48b4e0789

Download Submit
C:\Windows\SysWOW64\aldnjasd.exe

Filesize
512KB

MD5
060365246e4941865e443a34290bc2a2

SHA1
c1ac08df9b0eda04af75dec43cb26e6ed2376703

SHA256
f5844b53d36ef27c40a72bd764da6e9379000955463888d60685344ec8e944de

SHA512
b9af66f21f7cae76bed8f6152754bd0d6a38a1d176d8bf5ac89644d664bd425a7980ad105135cf0d8eba3a0bf396c57998bc043d6c8d43fdd7a72ebae532beac

Download Submit
C:\Windows\SysWOW64\ivkftzubepwwt.exe

Filesize
182KB

MD5
e702cda523a0feea8d2ea7191e48176e

SHA1
b166e96e4bf4c166eff948a57e946bbd331cba09

SHA256
73700c5f18003c186d9fcdeddd06ff2b2873aefa8e2b3772e9fe2e90e9401d6e

SHA512
ce9566621b0b0add46115a09d33486314a34ce623c787b3c15796b80a04f494d1e3fe2358b6b46d0c10779e3faa20dcb34c45fde4c4210965940ffce5e785ef0

Download Submit
C:\Windows\SysWOW64\ivkftzubepwwt.exe

Filesize
45KB

MD5
e8d0a210a7de9cb675e1378280b0b6de

SHA1
c2ab939a2766a03bf6c24459cd935c2d580f220d

SHA256
c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

SHA512
e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

Download Submit
C:\Windows\SysWOW64\jlyyquuupugjnzc.exe

Filesize
136KB

MD5
fd2cae620b4402b2817131176643ea72

SHA1
74a1affea1afd4a850bf35e62018182352e99ecf

SHA256
d17453ecd83cf34781c845001060821c0a38357cc9347f891f817d5964527ac6

SHA512
8d5e5dd84d8852398de18df1aa193bbd07b247ee243e54667067cd648c599a27f42f030e581a248749ca0fee09215b84308bf918497c9e8b0e17486642ed51a0

Download Submit
C:\Windows\SysWOW64\jlyyquuupugjnzc.exe

Filesize
55KB

MD5
e157c3a61c9cae70366c2ec10fdac71c

SHA1
02859014dfc548a8c4e1faf021c274f7c2c77e99

SHA256
2338e75bfa94455fa7eaceb83fbca863e67532381515ddaa9c75b671bd53674c

SHA512
88ff056e27d56e9dc48559c69b4ad1ac71664a79c92686d79ec0a5ec3835f2c65f9fde0a564b7e6c4bff6b070dd44f4d3859bc3698af8aaeed552e624fdfaeb8

Download Submit
C:\Windows\SysWOW64\yxxgprzpoj.exe

Filesize
129KB

MD5
ab5a89b3375afadc0c17b5812b5466a4

SHA1
5106c80a49b671b82ed85bb608f4c91a57cf2e0a

SHA256
2e2f72105fcfc2aa6c499313c1f9c39cc2fa37382abf98db70e524042e0652d9

SHA512
ff8b6a0ada608356563268b9d61477685a4a1514bb6897e2bf87a5523ce5280f6067638beb1d36223b6ff3bbde020f899e76597dcbeb8c081ace409961f764c3

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\aldnjasd.exe

Filesize
130KB

MD5
85de34314f75badfc98f548b3d230820

SHA1
d9d4762c77d73fd6dcf022798dcf76cd5635d326

SHA256
cf384da038bff4a323f3b83b03153f64e5ce83cd67aac6d41940aab3b830ae3a

SHA512
7d0056d6332811d153af11d55c1cea4543de68278948e2a916dbfc3228d9707c68872bb146eec41783d7f77dcba16787597c3cc83558159f6a985b20766011b4

Download Submit
\Windows\SysWOW64\ivkftzubepwwt.exe

Filesize
147KB

MD5
99fc55e39428f7bc7a33ccd9f84435ae

SHA1
a2fe4c858306a863e59089886a4a3bf24d3f0586

SHA256
57f5735f2c4906b4d5e61a8e8c683a357edbaec4b59f67a1cc4e5c060618a9d1

SHA512
2bc96f322f802218bd5e3ca6d0984caeeab3921db22e76c57e898b47283a33fa761b2ed7202b9e923ea801e5c2eabf2e9383ee4f3517d2224d08b19084aebca7

Download Submit
\Windows\SysWOW64\jlyyquuupugjnzc.exe

Filesize
512KB

MD5
7e92c9d3ea4192167af70e6fadb109e3

SHA1
36dc35377b24fdc1c1326402f4af1b7558cb23e9

SHA256
746664a3ba38cc303a08934ab9b5ff0096bd21fa17707984e111dbf20fd7b35a

SHA512
368c1410bbdaea2d90a68ce7ae57d5796650d9ea06f981da8a1c8492032ccc445da46356438119a24bf68161e17695b457d927dca1f107912a8e9aac1c3e2724

Download Submit
\Windows\SysWOW64\yxxgprzpoj.exe

Filesize
512KB

MD5
5fc100860133be3c20dcc84ff53ad766

SHA1
3c0c68871199376d388fa0dcec22354ba8a924cc

SHA256
5b5e1876dd26dde262ce09bcd77df3220ae46ada4317b11b8bf12f921103a63d

SHA512
1f66bcad1c84001f44e0c023b4aaba4df9f361bd28953251a6a865d283ee25e9284f5cd9589e8d1fe23ac0c9f36697b465a8d87dc1e95451e15b5aa6ce99050b

Download Submit
memory/1636-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-45-0x000000002F811000-0x000000002F812000-memory.dmp

Filesize
4KB

Download
memory/1636-47-0x00000000710DD000-0x00000000710E8000-memory.dmp

Filesize
44KB

Download
memory/1636-62-0x00000000710DD000-0x00000000710E8000-memory.dmp

Filesize
44KB

Download
memory/2676-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2852-52-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2852-64-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2852-76-0x0000000002580000-0x0000000002590000-memory.dmp

Filesize
64KB

Download