cfb4d6ee578e544d7eebf0d054801c482878b0aa1bf6187ed236db3b8da6a8ca

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3eb04652a3a57731b166a03425639ddd.exe
Size

512KB
MD5

3eb04652a3a57731b166a03425639ddd
SHA1

0dab4b6bdd78b3495bab0ed32ca24d9d4d25d23f
SHA256

cfb4d6ee578e544d7eebf0d054801c482878b0aa1bf6187ed236db3b8da6a8ca
SHA512

215b4b65d4a40eb000f42d5c218c34b5b2205d6bd513989dbf37d418f4feb88844b7f3641eaa9fe46f6810516dab8bd4febe757e241c309bb8bff6e45382280b
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6l:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ufvmyrjnxg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ufvmyrjnxg.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ufvmyrjnxg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ufvmyrjnxg.exe

Executes dropped EXE 5 IoCs

pid	Process
2768	ufvmyrjnxg.exe
2704	vdbwmmaackoasil.exe
2868	hvnmarun.exe
2736	pmdebqrkeeryv.exe
2644	hvnmarun.exe

Loads dropped DLL 5 IoCs

pid	Process
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2768	ufvmyrjnxg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ufvmyrjnxg.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ahgntjpt = "ufvmyrjnxg.exe"	vdbwmmaackoasil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\walahjbo = "vdbwmmaackoasil.exe"	vdbwmmaackoasil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "pmdebqrkeeryv.exe"	vdbwmmaackoasil.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	hvnmarun.exe
File opened (read-only)	\??\i:	ufvmyrjnxg.exe
File opened (read-only)	\??\o:	ufvmyrjnxg.exe
File opened (read-only)	\??\y:	hvnmarun.exe
File opened (read-only)	\??\y:	hvnmarun.exe
File opened (read-only)	\??\x:	ufvmyrjnxg.exe
File opened (read-only)	\??\i:	hvnmarun.exe
File opened (read-only)	\??\w:	hvnmarun.exe
File opened (read-only)	\??\v:	hvnmarun.exe
File opened (read-only)	\??\s:	hvnmarun.exe
File opened (read-only)	\??\r:	ufvmyrjnxg.exe
File opened (read-only)	\??\v:	ufvmyrjnxg.exe
File opened (read-only)	\??\g:	hvnmarun.exe
File opened (read-only)	\??\l:	ufvmyrjnxg.exe
File opened (read-only)	\??\s:	hvnmarun.exe
File opened (read-only)	\??\a:	hvnmarun.exe
File opened (read-only)	\??\h:	hvnmarun.exe
File opened (read-only)	\??\n:	hvnmarun.exe
File opened (read-only)	\??\b:	ufvmyrjnxg.exe
File opened (read-only)	\??\b:	hvnmarun.exe
File opened (read-only)	\??\s:	ufvmyrjnxg.exe
File opened (read-only)	\??\k:	hvnmarun.exe
File opened (read-only)	\??\p:	hvnmarun.exe
File opened (read-only)	\??\g:	hvnmarun.exe
File opened (read-only)	\??\j:	hvnmarun.exe
File opened (read-only)	\??\h:	ufvmyrjnxg.exe
File opened (read-only)	\??\j:	ufvmyrjnxg.exe
File opened (read-only)	\??\u:	ufvmyrjnxg.exe
File opened (read-only)	\??\j:	hvnmarun.exe
File opened (read-only)	\??\r:	hvnmarun.exe
File opened (read-only)	\??\b:	hvnmarun.exe
File opened (read-only)	\??\l:	hvnmarun.exe
File opened (read-only)	\??\q:	hvnmarun.exe
File opened (read-only)	\??\a:	ufvmyrjnxg.exe
File opened (read-only)	\??\l:	hvnmarun.exe
File opened (read-only)	\??\z:	hvnmarun.exe
File opened (read-only)	\??\t:	hvnmarun.exe
File opened (read-only)	\??\x:	hvnmarun.exe
File opened (read-only)	\??\e:	ufvmyrjnxg.exe
File opened (read-only)	\??\g:	ufvmyrjnxg.exe
File opened (read-only)	\??\u:	hvnmarun.exe
File opened (read-only)	\??\w:	hvnmarun.exe
File opened (read-only)	\??\o:	hvnmarun.exe
File opened (read-only)	\??\x:	hvnmarun.exe
File opened (read-only)	\??\w:	ufvmyrjnxg.exe
File opened (read-only)	\??\a:	hvnmarun.exe
File opened (read-only)	\??\k:	hvnmarun.exe
File opened (read-only)	\??\r:	hvnmarun.exe
File opened (read-only)	\??\k:	ufvmyrjnxg.exe
File opened (read-only)	\??\n:	ufvmyrjnxg.exe
File opened (read-only)	\??\m:	hvnmarun.exe
File opened (read-only)	\??\q:	ufvmyrjnxg.exe
File opened (read-only)	\??\u:	hvnmarun.exe
File opened (read-only)	\??\e:	hvnmarun.exe
File opened (read-only)	\??\i:	hvnmarun.exe
File opened (read-only)	\??\e:	hvnmarun.exe
File opened (read-only)	\??\q:	hvnmarun.exe
File opened (read-only)	\??\p:	hvnmarun.exe
File opened (read-only)	\??\v:	hvnmarun.exe
File opened (read-only)	\??\y:	ufvmyrjnxg.exe
File opened (read-only)	\??\z:	ufvmyrjnxg.exe
File opened (read-only)	\??\m:	ufvmyrjnxg.exe
File opened (read-only)	\??\p:	ufvmyrjnxg.exe
File opened (read-only)	\??\n:	hvnmarun.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ufvmyrjnxg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ufvmyrjnxg.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2904-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d00000001473e-5.dat	autoit_exe
behavioral1/files/0x000b000000012243-17.dat	autoit_exe
behavioral1/files/0x0030000000014b90-28.dat	autoit_exe
behavioral1/files/0x0007000000015580-34.dat	autoit_exe
behavioral1/files/0x0005000000018671-73.dat	autoit_exe
behavioral1/files/0x00050000000186a4-76.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pmdebqrkeeryv.exe	3eb04652a3a57731b166a03425639ddd.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ufvmyrjnxg.exe
File opened for modification	C:\Windows\SysWOW64\ufvmyrjnxg.exe	3eb04652a3a57731b166a03425639ddd.exe
File opened for modification	C:\Windows\SysWOW64\vdbwmmaackoasil.exe	3eb04652a3a57731b166a03425639ddd.exe
File created	C:\Windows\SysWOW64\hvnmarun.exe	3eb04652a3a57731b166a03425639ddd.exe
File created	C:\Windows\SysWOW64\pmdebqrkeeryv.exe	3eb04652a3a57731b166a03425639ddd.exe
File created	C:\Windows\SysWOW64\ufvmyrjnxg.exe	3eb04652a3a57731b166a03425639ddd.exe
File created	C:\Windows\SysWOW64\vdbwmmaackoasil.exe	3eb04652a3a57731b166a03425639ddd.exe
File opened for modification	C:\Windows\SysWOW64\hvnmarun.exe	3eb04652a3a57731b166a03425639ddd.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hvnmarun.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hvnmarun.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hvnmarun.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hvnmarun.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hvnmarun.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hvnmarun.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hvnmarun.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hvnmarun.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	3eb04652a3a57731b166a03425639ddd.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	ufvmyrjnxg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	ufvmyrjnxg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F06BC4FE1A21ADD10FD0A48B799011"	3eb04652a3a57731b166a03425639ddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193EC6091597DAC5B8CC7C97EDE734C6"	3eb04652a3a57731b166a03425639ddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	ufvmyrjnxg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2852	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2644	hvnmarun.exe
2644	hvnmarun.exe
2644	hvnmarun.exe
2644	hvnmarun.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2704	vdbwmmaackoasil.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2644	hvnmarun.exe
2644	hvnmarun.exe
2644	hvnmarun.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2904	3eb04652a3a57731b166a03425639ddd.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2768	ufvmyrjnxg.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2704	vdbwmmaackoasil.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2868	hvnmarun.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2736	pmdebqrkeeryv.exe
2644	hvnmarun.exe
2644	hvnmarun.exe
2644	hvnmarun.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	WINWORD.EXE
2852	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2768	2904	3eb04652a3a57731b166a03425639ddd.exe	28
PID 2904 wrote to memory of 2768	2904	3eb04652a3a57731b166a03425639ddd.exe	28
PID 2904 wrote to memory of 2768	2904	3eb04652a3a57731b166a03425639ddd.exe	28
PID 2904 wrote to memory of 2768	2904	3eb04652a3a57731b166a03425639ddd.exe	28
PID 2904 wrote to memory of 2704	2904	3eb04652a3a57731b166a03425639ddd.exe	29
PID 2904 wrote to memory of 2704	2904	3eb04652a3a57731b166a03425639ddd.exe	29
PID 2904 wrote to memory of 2704	2904	3eb04652a3a57731b166a03425639ddd.exe	29
PID 2904 wrote to memory of 2704	2904	3eb04652a3a57731b166a03425639ddd.exe	29
PID 2904 wrote to memory of 2868	2904	3eb04652a3a57731b166a03425639ddd.exe	30
PID 2904 wrote to memory of 2868	2904	3eb04652a3a57731b166a03425639ddd.exe	30
PID 2904 wrote to memory of 2868	2904	3eb04652a3a57731b166a03425639ddd.exe	30
PID 2904 wrote to memory of 2868	2904	3eb04652a3a57731b166a03425639ddd.exe	30
PID 2904 wrote to memory of 2736	2904	3eb04652a3a57731b166a03425639ddd.exe	31
PID 2904 wrote to memory of 2736	2904	3eb04652a3a57731b166a03425639ddd.exe	31
PID 2904 wrote to memory of 2736	2904	3eb04652a3a57731b166a03425639ddd.exe	31
PID 2904 wrote to memory of 2736	2904	3eb04652a3a57731b166a03425639ddd.exe	31
PID 2768 wrote to memory of 2644	2768	ufvmyrjnxg.exe	32
PID 2768 wrote to memory of 2644	2768	ufvmyrjnxg.exe	32
PID 2768 wrote to memory of 2644	2768	ufvmyrjnxg.exe	32
PID 2768 wrote to memory of 2644	2768	ufvmyrjnxg.exe	32
PID 2904 wrote to memory of 2852	2904	3eb04652a3a57731b166a03425639ddd.exe	33
PID 2904 wrote to memory of 2852	2904	3eb04652a3a57731b166a03425639ddd.exe	33
PID 2904 wrote to memory of 2852	2904	3eb04652a3a57731b166a03425639ddd.exe	33
PID 2904 wrote to memory of 2852	2904	3eb04652a3a57731b166a03425639ddd.exe	33
PID 2852 wrote to memory of 1320	2852	WINWORD.EXE	36
PID 2852 wrote to memory of 1320	2852	WINWORD.EXE	36
PID 2852 wrote to memory of 1320	2852	WINWORD.EXE	36
PID 2852 wrote to memory of 1320	2852	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\3eb04652a3a57731b166a03425639ddd.exe
"C:\Users\Admin\AppData\Local\Temp\3eb04652a3a57731b166a03425639ddd.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\ufvmyrjnxg.exe
  ufvmyrjnxg.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\hvnmarun.exe
    C:\Windows\system32\hvnmarun.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2644
- C:\Windows\SysWOW64\vdbwmmaackoasil.exe
  vdbwmmaackoasil.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2704
- C:\Windows\SysWOW64\hvnmarun.exe
  hvnmarun.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2868
- C:\Windows\SysWOW64\pmdebqrkeeryv.exe
  pmdebqrkeeryv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2736
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
f682077ddb9a29d0cb8ee9e0e5a4e5d2

SHA1
8c03b23ea0fd375784b690b99cefadf9a82466ff

SHA256
1024a92626aa830e11f75054033cc232a37c986fef68e2112e110bf857710c3e

SHA512
52a0e26bd29aa1ddfeb9a711873643e1c0e82e8a4c2a7d2e21c838a91dc6535b688bd09f74e058dc8f38cc3e4830481eec9fabd9cd0bf473ba1e2c97b73e14b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
d287d6d06034f960c17d764e5615dab5

SHA1
778950f9ad1eb3b13b92d369e1ef21253ad6d00e

SHA256
8e712a1acd46933ca432da20cddb14f0247f535dabf9e856c7be3940e0a048e2

SHA512
995b83fb998e78ee5028f90ec041ddbd3d6b0019a4ff4c827dfd573e76c408fc2fff31e3ab80df02df6066fb7dd9f3adf96b6f1497a38fbe4427ae65f4a95e4d

Download Submit
C:\Users\Admin\Downloads\ResetCopy.doc.exe

Filesize
512KB

MD5
21d9c4405f2b79e0094d69fa9a3132b4

SHA1
47483c4292cdecda1a1b99508079ca6f96e2ab12

SHA256
a02c1ee9671f70cb05b31a721091a2b883be09fa6f57debf437d17cd9ad9d705

SHA512
32e7c40e7f9d2f66832326fe0f77c3535be7055b3df42504a943c7bf70833ae0f65f3bc0d270225711c92ef699f57e5e998607582a9f9978b80455be475447cf

Download Submit
C:\Windows\SysWOW64\vdbwmmaackoasil.exe

Filesize
512KB

MD5
4223aecd5e0d8938d1a84b2de151abd0

SHA1
3943f90ea7c3e190a99768c3967ca1c774b0b56f

SHA256
db69334bac7e8346e1e08bb1f562b4ae9761d2810895a04feab67981463b91ed

SHA512
64f94ae2ecb087685e9b03de46beb5c8c076edc2fecc5d63401871a4872bf24a73d090ef14d50b30e790ad1bda2d2ac8e64d4fd383f27b1af322f5839bc4a5df

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\hvnmarun.exe

Filesize
512KB

MD5
aed766f6b3a87af0cb7ca04706e76847

SHA1
b115fdb0a3cfed6ba9287ea021dcba317a7f34e8

SHA256
aaee4eef4b11f00a8db4f5dad15d2fc263c33b9d6795053bad7cf6d8e35d54e5

SHA512
36973f26ae450d4bf6af7b02a691894cb576a0c9d17353c65538ea1798029d2f64ab06921630f0ff47044f20da18b32cd2fc397b449f3c7e801ec0d3aad7b922

Download Submit
\Windows\SysWOW64\pmdebqrkeeryv.exe

Filesize
512KB

MD5
4704948efd3888decec6fd4ac99e91a7

SHA1
2ca28197b82d9477620ceb298cb0120e8c0bd132

SHA256
543e99a96631edf67499528e26cf1edc09f2021d8dcd8abab8cfe80cb41d0d5d

SHA512
e80f9e501c239775f43863281e034cb98798a820c1a0510a5f5dbff2e5c91919b567acb4d7c9c43edc04215923715f84ccc7fefe01363627e5c869a28c32b845

Download Submit
\Windows\SysWOW64\ufvmyrjnxg.exe

Filesize
512KB

MD5
772f77ee8805f7dcefec641f729953bc

SHA1
1fc4bf802be2b73631aad53066ace824181e677c

SHA256
65664c712c6592d9e2f99d269c1b26d6aab249ce3c09c286388f8ad33cb70217

SHA512
85acad7a6cd8b27e7bc4727ef799eeb47107d2e0980bd93ecbf8d3e6f95ec7fbdf548249b73f650886d4d60403c47d4cc59cf0c13a5d53c3b890731d1da48e64

Download Submit
memory/2852-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2852-47-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Filesize
44KB

Download
memory/2852-45-0x000000002F551000-0x000000002F552000-memory.dmp

Filesize
4KB

Download
memory/2852-79-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Filesize
44KB

Download
memory/2852-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2904-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download