6588989ffa67d28b571211f87008a0139937a343fc7802830cd83e95e6bd3f52

Analysis

max time kernel
165s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e961514afb689fdbe3ed00211a8d47.exe
Size

512KB
MD5

02e961514afb689fdbe3ed00211a8d47
SHA1

31f2d960acd0f5d2390d16baeb3504e4fe866d84
SHA256

6588989ffa67d28b571211f87008a0139937a343fc7802830cd83e95e6bd3f52
SHA512

e77cea2feb48fa560bd8e9391c43d7bacd20b30af7bef5585afddd1860610424e3ce2196d80439d4e94379e5be2f7bf60bc8952a413ff55e252f996cd61d2d21
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5m

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tjbuxcehco.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tjbuxcehco.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tjbuxcehco.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tjbuxcehco.exe

Executes dropped EXE 5 IoCs

pid	Process
3016	tjbuxcehco.exe
2888	ixxklhfdeupuwyx.exe
1312	xhenqumz.exe
1768	wpryyhksecast.exe
2432	xhenqumz.exe

Loads dropped DLL 5 IoCs

pid	Process
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
3016	tjbuxcehco.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tjbuxcehco.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jitweucn = "tjbuxcehco.exe"	ixxklhfdeupuwyx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xyogofuc = "ixxklhfdeupuwyx.exe"	ixxklhfdeupuwyx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wpryyhksecast.exe"	ixxklhfdeupuwyx.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	tjbuxcehco.exe
File opened (read-only)	\??\n:	tjbuxcehco.exe
File opened (read-only)	\??\a:	xhenqumz.exe
File opened (read-only)	\??\i:	xhenqumz.exe
File opened (read-only)	\??\m:	xhenqumz.exe
File opened (read-only)	\??\y:	xhenqumz.exe
File opened (read-only)	\??\l:	tjbuxcehco.exe
File opened (read-only)	\??\o:	xhenqumz.exe
File opened (read-only)	\??\q:	xhenqumz.exe
File opened (read-only)	\??\t:	xhenqumz.exe
File opened (read-only)	\??\x:	xhenqumz.exe
File opened (read-only)	\??\v:	tjbuxcehco.exe
File opened (read-only)	\??\w:	tjbuxcehco.exe
File opened (read-only)	\??\a:	xhenqumz.exe
File opened (read-only)	\??\a:	tjbuxcehco.exe
File opened (read-only)	\??\r:	tjbuxcehco.exe
File opened (read-only)	\??\n:	xhenqumz.exe
File opened (read-only)	\??\p:	xhenqumz.exe
File opened (read-only)	\??\b:	xhenqumz.exe
File opened (read-only)	\??\x:	tjbuxcehco.exe
File opened (read-only)	\??\e:	xhenqumz.exe
File opened (read-only)	\??\m:	xhenqumz.exe
File opened (read-only)	\??\s:	tjbuxcehco.exe
File opened (read-only)	\??\i:	tjbuxcehco.exe
File opened (read-only)	\??\j:	xhenqumz.exe
File opened (read-only)	\??\n:	xhenqumz.exe
File opened (read-only)	\??\o:	tjbuxcehco.exe
File opened (read-only)	\??\y:	xhenqumz.exe
File opened (read-only)	\??\i:	xhenqumz.exe
File opened (read-only)	\??\z:	xhenqumz.exe
File opened (read-only)	\??\z:	tjbuxcehco.exe
File opened (read-only)	\??\e:	xhenqumz.exe
File opened (read-only)	\??\u:	xhenqumz.exe
File opened (read-only)	\??\v:	xhenqumz.exe
File opened (read-only)	\??\o:	xhenqumz.exe
File opened (read-only)	\??\z:	xhenqumz.exe
File opened (read-only)	\??\h:	xhenqumz.exe
File opened (read-only)	\??\h:	xhenqumz.exe
File opened (read-only)	\??\l:	xhenqumz.exe
File opened (read-only)	\??\k:	tjbuxcehco.exe
File opened (read-only)	\??\m:	tjbuxcehco.exe
File opened (read-only)	\??\u:	tjbuxcehco.exe
File opened (read-only)	\??\v:	xhenqumz.exe
File opened (read-only)	\??\j:	xhenqumz.exe
File opened (read-only)	\??\t:	tjbuxcehco.exe
File opened (read-only)	\??\y:	tjbuxcehco.exe
File opened (read-only)	\??\g:	xhenqumz.exe
File opened (read-only)	\??\u:	xhenqumz.exe
File opened (read-only)	\??\x:	xhenqumz.exe
File opened (read-only)	\??\w:	xhenqumz.exe
File opened (read-only)	\??\k:	xhenqumz.exe
File opened (read-only)	\??\t:	xhenqumz.exe
File opened (read-only)	\??\r:	xhenqumz.exe
File opened (read-only)	\??\e:	tjbuxcehco.exe
File opened (read-only)	\??\h:	tjbuxcehco.exe
File opened (read-only)	\??\j:	tjbuxcehco.exe
File opened (read-only)	\??\l:	xhenqumz.exe
File opened (read-only)	\??\p:	xhenqumz.exe
File opened (read-only)	\??\p:	tjbuxcehco.exe
File opened (read-only)	\??\q:	tjbuxcehco.exe
File opened (read-only)	\??\b:	xhenqumz.exe
File opened (read-only)	\??\r:	xhenqumz.exe
File opened (read-only)	\??\s:	xhenqumz.exe
File opened (read-only)	\??\w:	xhenqumz.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	tjbuxcehco.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	tjbuxcehco.exe

AutoIT Executable 20 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122bd-5.dat	autoit_exe
behavioral1/files/0x0008000000012224-17.dat	autoit_exe
behavioral1/files/0x0008000000012224-19.dat	autoit_exe
behavioral1/files/0x0008000000012224-24.dat	autoit_exe
behavioral1/files/0x000d0000000122bd-26.dat	autoit_exe
behavioral1/files/0x000d0000000122bd-22.dat	autoit_exe
behavioral1/files/0x00250000000146b5-28.dat	autoit_exe
behavioral1/files/0x00250000000146b5-31.dat	autoit_exe
behavioral1/files/0x0007000000014b75-34.dat	autoit_exe
behavioral1/files/0x00250000000146b5-33.dat	autoit_exe
behavioral1/files/0x000d0000000122bd-40.dat	autoit_exe
behavioral1/files/0x0007000000014b75-38.dat	autoit_exe
behavioral1/files/0x0007000000014b75-41.dat	autoit_exe
behavioral1/files/0x00250000000146b5-42.dat	autoit_exe
behavioral1/files/0x00250000000146b5-43.dat	autoit_exe
behavioral1/files/0x0006000000016d5d-66.dat	autoit_exe
behavioral1/files/0x0006000000016fba-73.dat	autoit_exe
behavioral1/files/0x0006000000016fba-71.dat	autoit_exe
behavioral1/files/0x0006000000016fba-68.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ixxklhfdeupuwyx.exe	02e961514afb689fdbe3ed00211a8d47.exe
File created	C:\Windows\SysWOW64\xhenqumz.exe	02e961514afb689fdbe3ed00211a8d47.exe
File created	C:\Windows\SysWOW64\wpryyhksecast.exe	02e961514afb689fdbe3ed00211a8d47.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	tjbuxcehco.exe
File created	C:\Windows\SysWOW64\tjbuxcehco.exe	02e961514afb689fdbe3ed00211a8d47.exe
File opened for modification	C:\Windows\SysWOW64\tjbuxcehco.exe	02e961514afb689fdbe3ed00211a8d47.exe
File opened for modification	C:\Windows\SysWOW64\ixxklhfdeupuwyx.exe	02e961514afb689fdbe3ed00211a8d47.exe
File opened for modification	C:\Windows\SysWOW64\xhenqumz.exe	02e961514afb689fdbe3ed00211a8d47.exe
File opened for modification	C:\Windows\SysWOW64\wpryyhksecast.exe	02e961514afb689fdbe3ed00211a8d47.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xhenqumz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xhenqumz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	xhenqumz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xhenqumz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	xhenqumz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xhenqumz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xhenqumz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	xhenqumz.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	02e961514afb689fdbe3ed00211a8d47.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C77815EDDAC7B8CB7CE2ECE234CA"	02e961514afb689fdbe3ed00211a8d47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	tjbuxcehco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCF9BCFE65F192837C3B32869D3995B08A03F14268023CE2C945E909A2"	02e961514afb689fdbe3ed00211a8d47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C0D9C5282236D3476D370232CD67DF664D6"	02e961514afb689fdbe3ed00211a8d47.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	tjbuxcehco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	tjbuxcehco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	tjbuxcehco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	tjbuxcehco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC3B15B479239EC52CFB9D73298D4CC"	02e961514afb689fdbe3ed00211a8d47.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2508	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2432	xhenqumz.exe
2432	xhenqumz.exe
2432	xhenqumz.exe
2432	xhenqumz.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2888	ixxklhfdeupuwyx.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2432	xhenqumz.exe
2432	xhenqumz.exe
2432	xhenqumz.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
2384	02e961514afb689fdbe3ed00211a8d47.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
3016	tjbuxcehco.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
1312	xhenqumz.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
2888	ixxklhfdeupuwyx.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
1768	wpryyhksecast.exe
2432	xhenqumz.exe
2432	xhenqumz.exe
2432	xhenqumz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2508	WINWORD.EXE
2508	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3016	2384	02e961514afb689fdbe3ed00211a8d47.exe	28
PID 2384 wrote to memory of 3016	2384	02e961514afb689fdbe3ed00211a8d47.exe	28
PID 2384 wrote to memory of 3016	2384	02e961514afb689fdbe3ed00211a8d47.exe	28
PID 2384 wrote to memory of 3016	2384	02e961514afb689fdbe3ed00211a8d47.exe	28
PID 2384 wrote to memory of 2888	2384	02e961514afb689fdbe3ed00211a8d47.exe	29
PID 2384 wrote to memory of 2888	2384	02e961514afb689fdbe3ed00211a8d47.exe	29
PID 2384 wrote to memory of 2888	2384	02e961514afb689fdbe3ed00211a8d47.exe	29
PID 2384 wrote to memory of 2888	2384	02e961514afb689fdbe3ed00211a8d47.exe	29
PID 2384 wrote to memory of 1312	2384	02e961514afb689fdbe3ed00211a8d47.exe	30
PID 2384 wrote to memory of 1312	2384	02e961514afb689fdbe3ed00211a8d47.exe	30
PID 2384 wrote to memory of 1312	2384	02e961514afb689fdbe3ed00211a8d47.exe	30
PID 2384 wrote to memory of 1312	2384	02e961514afb689fdbe3ed00211a8d47.exe	30
PID 2384 wrote to memory of 1768	2384	02e961514afb689fdbe3ed00211a8d47.exe	31
PID 2384 wrote to memory of 1768	2384	02e961514afb689fdbe3ed00211a8d47.exe	31
PID 2384 wrote to memory of 1768	2384	02e961514afb689fdbe3ed00211a8d47.exe	31
PID 2384 wrote to memory of 1768	2384	02e961514afb689fdbe3ed00211a8d47.exe	31
PID 3016 wrote to memory of 2432	3016	tjbuxcehco.exe	32
PID 3016 wrote to memory of 2432	3016	tjbuxcehco.exe	32
PID 3016 wrote to memory of 2432	3016	tjbuxcehco.exe	32
PID 3016 wrote to memory of 2432	3016	tjbuxcehco.exe	32
PID 2384 wrote to memory of 2508	2384	02e961514afb689fdbe3ed00211a8d47.exe	33
PID 2384 wrote to memory of 2508	2384	02e961514afb689fdbe3ed00211a8d47.exe	33
PID 2384 wrote to memory of 2508	2384	02e961514afb689fdbe3ed00211a8d47.exe	33
PID 2384 wrote to memory of 2508	2384	02e961514afb689fdbe3ed00211a8d47.exe	33
PID 2508 wrote to memory of 548	2508	WINWORD.EXE	38
PID 2508 wrote to memory of 548	2508	WINWORD.EXE	38
PID 2508 wrote to memory of 548	2508	WINWORD.EXE	38
PID 2508 wrote to memory of 548	2508	WINWORD.EXE	38

C:\Users\Admin\AppData\Local\Temp\02e961514afb689fdbe3ed00211a8d47.exe
"C:\Users\Admin\AppData\Local\Temp\02e961514afb689fdbe3ed00211a8d47.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\tjbuxcehco.exe
  tjbuxcehco.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\xhenqumz.exe
    C:\Windows\system32\xhenqumz.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2432
- C:\Windows\SysWOW64\ixxklhfdeupuwyx.exe
  ixxklhfdeupuwyx.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2888
- C:\Windows\SysWOW64\xhenqumz.exe
  xhenqumz.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1312
- C:\Windows\SysWOW64\wpryyhksecast.exe
  wpryyhksecast.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1768
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
176KB

MD5
0c55a3835c0a7548ae15c1e549916385

SHA1
fda77f8e3a22fc35015230bc8eb58c6beca419b3

SHA256
2abef4668fd4d3cbbad8a63ca1ecaa9dd46ceb0267bd5d8eacbf8ff7a12314a1

SHA512
603722512b8ce0fce01d8eb891ed6e29ac6f21a917846a7e6276cdf090a16ebaecc5608ab07aea2a0c5ef97a509231c0cf95c90efbc38fb89740399d07e84c9e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
324KB

MD5
b2256fbe9824709f0d772be561e29d41

SHA1
ef827f0445064d627b0e52e5f1446d9f66f13843

SHA256
f6f2410e6519468e68467562f4259ba4dd0bda26259a49619c3901cdb1c99c31

SHA512
f3087fa9070f655cf16e8bf9983a2a54634d55c1bf5b2715ecd3324833b700e1b1a2ebc54351d298bb9b0771b46e28fd404905f3076919763248c6245af2162f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
282KB

MD5
69af79402f6b514726e3679e457e2ca6

SHA1
27f702cb2a0c1999aefe1d1d0769633917d3a89a

SHA256
08ae79900bf120d981b30f31073d5ed2b006509a4d9d154677a7331fda1c63f3

SHA512
b49af0295980c38300ea63fdc26ab0f279bbe72f27fa712334c10d3f7c12dc5455729f19dffc2837b8c50db6b2959a1725a57f8ec5c679ea0b72761fbc4db0a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
bc6c7afa505b3b4eec8da749c248744f

SHA1
94ada4674b317dce4e447c410ab8a0c481294f49

SHA256
eefe8fceccd3da66412ba9f05a307852211c2c6e73f79ec513e823f030063daa

SHA512
fbefdd582d0f693a4c6aee2362c06efa71431c8c21d11348007e52935c9524af1aad2275f9134c077fd9bf13d9196dbdf83f3d2e53150385d18ecc9606c07ab3

Download Submit
C:\Windows\SysWOW64\ixxklhfdeupuwyx.exe

Filesize
101KB

MD5
e67adf7a8d7b660535fc16083270fed4

SHA1
f00fa14bf89fd144538f3c233773cc54a89d2137

SHA256
8a4d632cc154fdae27f3b38f2f7c24f23c2d65a94dbea4f6287e4a09b48aef23

SHA512
08dc56a1d1c7055dfe7a37eb69b9140c86ddacf851bae960684fb2ea2fd368498f9f3f1a13ee58e39fc9a1814bf65c7de9e3f981cb0f56748fca0007eae65b87

Download Submit
C:\Windows\SysWOW64\ixxklhfdeupuwyx.exe

Filesize
155KB

MD5
0e91aaf93cd598edcc63772147b99729

SHA1
f2c3dcdf5fd73fe268bae71766b8aa40f33669a8

SHA256
912ff5d3a4c93046cc360525bfb9a31a7e3a41ec6163b3cfca6fd3770d1d7bcb

SHA512
fc4ecd09d6e21cf22f8c7b7f639907acce095741e42e6de062c875777917bbddd9fe292d63a05011d0cca218d7d39cbd675ed32fbd9df88663e535c37143064f

Download Submit
C:\Windows\SysWOW64\ixxklhfdeupuwyx.exe

Filesize
512KB

MD5
a6abf658bf677470249538e1f3b84f94

SHA1
fb0767787afa35bbf9c09451f74891434f30bc01

SHA256
a9e6c726d7c449b5b6afb960e7b1155547719430313d68a4225af685c0103116

SHA512
a286ff430bb22cd86c0e10f815f06207b05a9d67f49571152c81eaa6e75b3b623c13d9253b965952c07bbee8c5f7c65ffcc6ed5259281c2fe9a78fb03adc415b

Download Submit
C:\Windows\SysWOW64\tjbuxcehco.exe

Filesize
117KB

MD5
0061f8b8769385936dd989bf9ec31245

SHA1
25703f5714e02cce435ded0cb61aa23c926f875b

SHA256
d9709b7ef36ea0ec00a2a03afd6a3d1ee7184ed50e3a6b9f7bd8afe41fb7208a

SHA512
611e382f6e73b776ebd88e4d484b819c57fe784ed751e2e0e75721abf881163db6048f23458fe5b28dd84684305eb98d6c14f9d6adf89a80e3151d2a1b208027

Download Submit
C:\Windows\SysWOW64\tjbuxcehco.exe

Filesize
121KB

MD5
2c37920e3a1ca1a5a25cee35f3d55e90

SHA1
2c28aceac75bc91e310d79ab27de4af4ec1f1bb6

SHA256
902837b36dce3881a95920b8d4fab5612f0e12510dc525c9a65daa97679b59e6

SHA512
07d389718dce93207ce7465e9590536208e5b43ce6053758b60454930dd00e77951a1dfbd5e3cfdba3f6d88cfa25250692b4a70978033544c25bfc3c3062b3fe

Download Submit
C:\Windows\SysWOW64\wpryyhksecast.exe

Filesize
95KB

MD5
e11b0bc6ca1a7f4643d4d3c223391aa5

SHA1
18db1aa6c4966c69aa5e7d0391c512538622e930

SHA256
1e10d05cd0a82ac8c1e6716c86a84c3870190d1779bf8b35059e674f4559e852

SHA512
5b8785e158964da213e798ed97c730ee951b6accc424e290a04cf6ac7e3272787247a6634e59f41b4ef1d79558083fe08e2ecc77cddf81b38280c4f8312c9089

Download Submit
C:\Windows\SysWOW64\wpryyhksecast.exe

Filesize
76KB

MD5
c43077b414f3c19adb376f80a6051e46

SHA1
b4a5d952f2dc2710d56f6921e84889c9daa8be4c

SHA256
1f458c634d51b58733ec5d2f416e713cbec139893ce8f4de9865eb6bac0792f4

SHA512
fb24707be1c3c2e0046aef8a4b8fb30a74206ae542e19e037e9859b1f95458ea3efcb5dcf355780d333c29efd287ca02707532f2938f49ee0caae3e7263aa799

Download Submit
C:\Windows\SysWOW64\xhenqumz.exe

Filesize
104KB

MD5
489a2cfe7e5322ded8186b1c21a4d435

SHA1
60a32c9a893506745906da1bdf8b05988ef8a614

SHA256
8b66dc9a77722960521a58806e49139df16937538406833f468f66faed94cc2f

SHA512
8276550ba4f050ddebccd638b8ad88fffab4a99596b868534eb4d2ebc92d6533ef53f34e39469fc45428fdde31f726ba3a3a8baf5908ac4d645a532e63aad87d

Download Submit
C:\Windows\SysWOW64\xhenqumz.exe

Filesize
120KB

MD5
c6a6929371896d18a038407c968181cd

SHA1
f5f2fb80aacf0208e7d87c3ffc3977ce2edefb00

SHA256
92fb18eee76a2d15e6b36443ebab9c1130a19171dfaf163e17bbb7d8681b57fe

SHA512
b2ef4935bed8a070489fdc8768df4e69deeac46c53cf90ca20d1461f50472f5a92ff4cae3a0e5abac95ffbae407e05e1988ab0a81957a42e99cb0d44b7833b92

Download Submit
C:\Windows\SysWOW64\xhenqumz.exe

Filesize
107KB

MD5
5a039a6a91caef80b312f21ee7114d54

SHA1
b3b6ae77f901bce5e1f826b732199b9e86d35e04

SHA256
b834c81efdad0a04082d822e501c4d9252e2e30b540f1da31879482f83be9a58

SHA512
3b52ec2e264637933142b00106247ead5ac2f01a290f041cb912462f273e9b538b658a76ca778325720e86aba129e9c20ea328d413266e975e21563b84add823

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
297KB

MD5
541f01158a5b270981a5429d554827ae

SHA1
f9cfbb20f7b7086e2ca0325ccd103be467d60769

SHA256
7c55259e1b74d86a204afaf3bd811ffcf2f53e978142fbbaa2220e9baec0d3e2

SHA512
24923ca3ff90e1c2d395029bc1f26b7e43364ea3834c1d207f7e5ba5437c88235f741484d8ee57bb6bf65039797f6ad29d54c3cca5fec31c472bbd6ce3f8339d

Download Submit
\Windows\SysWOW64\ixxklhfdeupuwyx.exe

Filesize
136KB

MD5
dcf2c76bfd98d92b96917c6748a8308d

SHA1
46cb97ccfea7f1b3633e161d75f35fb65fa23a1f

SHA256
e5e9e98e1544d622ccf5cfe05400163bd003d96233c7c2ee4c1615abfdae3b95

SHA512
380413448c01bc96741e0dd8c7f088e8229a90d171dba1011d1b58c698e3e3a7e32ce2fb510283f8dfcbbe0f98ef97ea2d46dfa50e5b25374d957195a5bdc931

Download Submit
\Windows\SysWOW64\tjbuxcehco.exe

Filesize
512KB

MD5
1d067b9e70b609b5927bf86e83914c10

SHA1
0225cdb556e2ef9b81020d102afd2b3f2a4e4998

SHA256
b5651135fd62026455ea8022724ab3f64ffe9b93aeb5334864fda16b58a2e77e

SHA512
62c29485d37da38cd1ffb181a4d414a7dbdd193730bb052efc5a02bc5880cc99914a9d45cdd8d298ac0f97b09f3a903fadb7fdb0189f778422ee1268543fd96c

Download Submit
\Windows\SysWOW64\wpryyhksecast.exe

Filesize
79KB

MD5
c18e970fa8497010a262b254a86e003e

SHA1
bf31f234d173d2c410af3d1a3cf183967968ca66

SHA256
200db8a17e849621c41ff2a7dacc739c7282a98ce7dc12f7b2bd1772a699424c

SHA512
f7d138abbdbe4a2f3b79599f75c8754e1f3f882869975a4bf151416119da3d17125444be2acce8b2f9becfd21be8621f90265db2287a520180bdfd936d287d68

Download Submit
\Windows\SysWOW64\xhenqumz.exe

Filesize
122KB

MD5
d5c5f2f1d4eeb0a4eab5204de51136b2

SHA1
752b18523a601c573f41bb18ab0da8397d015939

SHA256
6718070c02ba380556341136b1b8890044826f16f7c1f8a7021270cba88209b2

SHA512
4cf0db7c5e122032786ba49722e4257f70358106e579aa3a0de61dd769317f160bf578a957cbb813108fd578599656828ab377248d6ac162e1d7744d6821124d

Download Submit
\Windows\SysWOW64\xhenqumz.exe

Filesize
63KB

MD5
61e6fa3a2b79b1004a461e6308e10630

SHA1
b03beeb34bfef81ae1d7542aef56ebb0aadf4275

SHA256
438f75a1180ab3fa2dded01d1eee9bb097ed93164fe0a7f2b94b2620d7b8014c

SHA512
701933e3ee5f5a9b53f0bbebc7736ff2e57ea8e8e9d2f67866f4daa723046299634e295c16c895cbd7ce381a0c4858ce84d1d229f753b0fc5dc6c02aa000d8e4

Download Submit
memory/2384-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2508-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2508-47-0x00000000717DD000-0x00000000717E8000-memory.dmp

Filesize
44KB

Download
memory/2508-45-0x000000002FF91000-0x000000002FF92000-memory.dmp

Filesize
4KB

Download
memory/2508-80-0x00000000717DD000-0x00000000717E8000-memory.dmp

Filesize
44KB

Download
memory/2508-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download