0a927d7e6771b961587b4d6cf122083077ee92714c4ae2548767f636af9f9881

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03-01-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b80011bbbee3f57ba7ee431b1e1904f.exe
Size

512KB
MD5

2b80011bbbee3f57ba7ee431b1e1904f
SHA1

6bb90708595987f5f9a0dff7a7f738020433ed2f
SHA256

0a927d7e6771b961587b4d6cf122083077ee92714c4ae2548767f636af9f9881
SHA512

7fabbf7fb5cd692c7d6af3b2e26e9e73bf4f44bc67101d1a71bc64e908117445a2affa2cc3f0699f585fc305ac398cc4e6278e079ab8d45d556e5f1aeb256388
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6F:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	vkzvkymvkb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	vkzvkymvkb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	vkzvkymvkb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vkzvkymvkb.exe

Executes dropped EXE 5 IoCs

pid	Process
2692	vkzvkymvkb.exe
2860	iehkwubcnpyncsu.exe
2772	vsyisegz.exe
2408	zriuhowwluuqg.exe
2660	vsyisegz.exe

Loads dropped DLL 5 IoCs

pid	Process
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2692	vkzvkymvkb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vkzvkymvkb.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dzwfjyrz = "vkzvkymvkb.exe"	iehkwubcnpyncsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dvuapjyr = "iehkwubcnpyncsu.exe"	iehkwubcnpyncsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "zriuhowwluuqg.exe"	iehkwubcnpyncsu.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	vkzvkymvkb.exe
File opened (read-only)	\??\g:	vsyisegz.exe
File opened (read-only)	\??\w:	vsyisegz.exe
File opened (read-only)	\??\b:	vkzvkymvkb.exe
File opened (read-only)	\??\e:	vkzvkymvkb.exe
File opened (read-only)	\??\g:	vsyisegz.exe
File opened (read-only)	\??\q:	vkzvkymvkb.exe
File opened (read-only)	\??\a:	vsyisegz.exe
File opened (read-only)	\??\j:	vsyisegz.exe
File opened (read-only)	\??\m:	vsyisegz.exe
File opened (read-only)	\??\n:	vsyisegz.exe
File opened (read-only)	\??\z:	vsyisegz.exe
File opened (read-only)	\??\o:	vkzvkymvkb.exe
File opened (read-only)	\??\h:	vsyisegz.exe
File opened (read-only)	\??\z:	vsyisegz.exe
File opened (read-only)	\??\z:	vkzvkymvkb.exe
File opened (read-only)	\??\k:	vsyisegz.exe
File opened (read-only)	\??\a:	vsyisegz.exe
File opened (read-only)	\??\j:	vsyisegz.exe
File opened (read-only)	\??\n:	vsyisegz.exe
File opened (read-only)	\??\r:	vsyisegz.exe
File opened (read-only)	\??\i:	vkzvkymvkb.exe
File opened (read-only)	\??\p:	vkzvkymvkb.exe
File opened (read-only)	\??\b:	vsyisegz.exe
File opened (read-only)	\??\x:	vsyisegz.exe
File opened (read-only)	\??\h:	vsyisegz.exe
File opened (read-only)	\??\v:	vsyisegz.exe
File opened (read-only)	\??\j:	vkzvkymvkb.exe
File opened (read-only)	\??\x:	vkzvkymvkb.exe
File opened (read-only)	\??\v:	vkzvkymvkb.exe
File opened (read-only)	\??\y:	vsyisegz.exe
File opened (read-only)	\??\b:	vsyisegz.exe
File opened (read-only)	\??\t:	vsyisegz.exe
File opened (read-only)	\??\y:	vkzvkymvkb.exe
File opened (read-only)	\??\t:	vsyisegz.exe
File opened (read-only)	\??\p:	vsyisegz.exe
File opened (read-only)	\??\q:	vsyisegz.exe
File opened (read-only)	\??\s:	vsyisegz.exe
File opened (read-only)	\??\w:	vkzvkymvkb.exe
File opened (read-only)	\??\s:	vsyisegz.exe
File opened (read-only)	\??\u:	vsyisegz.exe
File opened (read-only)	\??\w:	vsyisegz.exe
File opened (read-only)	\??\m:	vsyisegz.exe
File opened (read-only)	\??\u:	vsyisegz.exe
File opened (read-only)	\??\h:	vkzvkymvkb.exe
File opened (read-only)	\??\s:	vkzvkymvkb.exe
File opened (read-only)	\??\o:	vsyisegz.exe
File opened (read-only)	\??\g:	vkzvkymvkb.exe
File opened (read-only)	\??\m:	vkzvkymvkb.exe
File opened (read-only)	\??\l:	vsyisegz.exe
File opened (read-only)	\??\x:	vsyisegz.exe
File opened (read-only)	\??\y:	vsyisegz.exe
File opened (read-only)	\??\n:	vkzvkymvkb.exe
File opened (read-only)	\??\i:	vsyisegz.exe
File opened (read-only)	\??\e:	vsyisegz.exe
File opened (read-only)	\??\e:	vsyisegz.exe
File opened (read-only)	\??\u:	vkzvkymvkb.exe
File opened (read-only)	\??\o:	vsyisegz.exe
File opened (read-only)	\??\v:	vsyisegz.exe
File opened (read-only)	\??\a:	vkzvkymvkb.exe
File opened (read-only)	\??\t:	vkzvkymvkb.exe
File opened (read-only)	\??\p:	vsyisegz.exe
File opened (read-only)	\??\q:	vsyisegz.exe
File opened (read-only)	\??\r:	vsyisegz.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	vkzvkymvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	vkzvkymvkb.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b0000000144eb-5.dat	autoit_exe
behavioral1/files/0x00070000000122c9-20.dat	autoit_exe
behavioral1/files/0x00070000000122c9-17.dat	autoit_exe
behavioral1/files/0x0029000000014721-31.dat	autoit_exe
behavioral1/files/0x0029000000014721-28.dat	autoit_exe
behavioral1/files/0x00070000000122c9-26.dat	autoit_exe
behavioral1/files/0x0007000000014ba6-33.dat	autoit_exe
behavioral1/files/0x000b0000000144eb-39.dat	autoit_exe
behavioral1/files/0x0029000000014721-38.dat	autoit_exe
behavioral1/files/0x0007000000014ba6-37.dat	autoit_exe
behavioral1/files/0x000b0000000144eb-25.dat	autoit_exe
behavioral1/files/0x0007000000014ba6-41.dat	autoit_exe
behavioral1/files/0x0029000000014721-43.dat	autoit_exe
behavioral1/files/0x0029000000014721-42.dat	autoit_exe
behavioral1/files/0x000b0000000144eb-21.dat	autoit_exe
behavioral1/files/0x0006000000016110-77.dat	autoit_exe
behavioral1/files/0x0006000000016110-74.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vkzvkymvkb.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File created	C:\Windows\SysWOW64\iehkwubcnpyncsu.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File opened for modification	C:\Windows\SysWOW64\vsyisegz.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File opened for modification	C:\Windows\SysWOW64\zriuhowwluuqg.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	vkzvkymvkb.exe
File created	C:\Windows\SysWOW64\vkzvkymvkb.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File opened for modification	C:\Windows\SysWOW64\iehkwubcnpyncsu.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File created	C:\Windows\SysWOW64\vsyisegz.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe
File created	C:\Windows\SysWOW64\zriuhowwluuqg.exe	2b80011bbbee3f57ba7ee431b1e1904f.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vsyisegz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vsyisegz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vsyisegz.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vsyisegz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vsyisegz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vsyisegz.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vsyisegz.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vsyisegz.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	2b80011bbbee3f57ba7ee431b1e1904f.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FFBFCFC4829826D9130D7287E92BC95E14758426642623FD7EA"	2b80011bbbee3f57ba7ee431b1e1904f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFAB1F965F192840C3A4486993992B081038D4261034EE1CD459C09D6"	2b80011bbbee3f57ba7ee431b1e1904f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F568C6FF1A21DED27AD1A78B7B9060"	2b80011bbbee3f57ba7ee431b1e1904f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	vkzvkymvkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	vkzvkymvkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2772	vsyisegz.exe
2772	vsyisegz.exe
2772	vsyisegz.exe
2772	vsyisegz.exe
2660	vsyisegz.exe
2660	vsyisegz.exe
2660	vsyisegz.exe
2660	vsyisegz.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2860	iehkwubcnpyncsu.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2772	vsyisegz.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2772	vsyisegz.exe
2772	vsyisegz.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2660	vsyisegz.exe
2660	vsyisegz.exe
2660	vsyisegz.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2428	2b80011bbbee3f57ba7ee431b1e1904f.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2692	vkzvkymvkb.exe
2772	vsyisegz.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2860	iehkwubcnpyncsu.exe
2772	vsyisegz.exe
2772	vsyisegz.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2408	zriuhowwluuqg.exe
2660	vsyisegz.exe
2660	vsyisegz.exe
2660	vsyisegz.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2372	WINWORD.EXE
2372	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2692	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	28
PID 2428 wrote to memory of 2692	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	28
PID 2428 wrote to memory of 2692	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	28
PID 2428 wrote to memory of 2692	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	28
PID 2428 wrote to memory of 2860	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	33
PID 2428 wrote to memory of 2860	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	33
PID 2428 wrote to memory of 2860	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	33
PID 2428 wrote to memory of 2860	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	33
PID 2428 wrote to memory of 2772	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	32
PID 2428 wrote to memory of 2772	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	32
PID 2428 wrote to memory of 2772	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	32
PID 2428 wrote to memory of 2772	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	32
PID 2428 wrote to memory of 2408	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	29
PID 2428 wrote to memory of 2408	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	29
PID 2428 wrote to memory of 2408	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	29
PID 2428 wrote to memory of 2408	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	29
PID 2692 wrote to memory of 2660	2692	vkzvkymvkb.exe	30
PID 2692 wrote to memory of 2660	2692	vkzvkymvkb.exe	30
PID 2692 wrote to memory of 2660	2692	vkzvkymvkb.exe	30
PID 2692 wrote to memory of 2660	2692	vkzvkymvkb.exe	30
PID 2428 wrote to memory of 2372	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	31
PID 2428 wrote to memory of 2372	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	31
PID 2428 wrote to memory of 2372	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	31
PID 2428 wrote to memory of 2372	2428	2b80011bbbee3f57ba7ee431b1e1904f.exe	31
PID 2372 wrote to memory of 1824	2372	WINWORD.EXE	36
PID 2372 wrote to memory of 1824	2372	WINWORD.EXE	36
PID 2372 wrote to memory of 1824	2372	WINWORD.EXE	36
PID 2372 wrote to memory of 1824	2372	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\2b80011bbbee3f57ba7ee431b1e1904f.exe
"C:\Users\Admin\AppData\Local\Temp\2b80011bbbee3f57ba7ee431b1e1904f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\vkzvkymvkb.exe
  vkzvkymvkb.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\vsyisegz.exe
    C:\Windows\system32\vsyisegz.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2660
- C:\Windows\SysWOW64\zriuhowwluuqg.exe
  zriuhowwluuqg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2408
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1824
- C:\Windows\SysWOW64\vsyisegz.exe
  vsyisegz.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2772
- C:\Windows\SysWOW64\iehkwubcnpyncsu.exe
  iehkwubcnpyncsu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\CompressConvertFrom.doc.exe

Filesize
139KB

MD5
449002f7443a49d21c4f636096088e7e

SHA1
7634b7b4b31463c29d1ba1aff81775ecd3c5874c

SHA256
6e43ad4ab48dfae4a37336b23c884c5e953d929216d441f0b6ab286231224e9e

SHA512
17b5f3b8d0148a1f637e833b9ffbddfef5c4cde946cae85f9f1111cf26983e9cb8b17ecb364f0258f0e008ac1fcae28f646efe6b6a8c32aea00097acd5c8bddc

Download Submit
C:\Users\Admin\Desktop\CompressConvertFrom.doc.exe

Filesize
168KB

MD5
a3a3e354a1533cce656c89582b1e716b

SHA1
505cb30cc2b664d78b049605ade6381ad977a686

SHA256
7818011697729f930dbed9b428940742c3c7327cc0481c9e2144815e27edaa30

SHA512
ffef860cb9a3b34dc8e269caeaf66a841f4919d6d612935e55a950b2941351aa4c9f713f5631880cac5baa96846c566438abbb996c9bbba4786466a623cafd8f

Download Submit
C:\Windows\SysWOW64\iehkwubcnpyncsu.exe

Filesize
306KB

MD5
a21becf375184fbc59d4d4e5a6960607

SHA1
86ea7e8c2b84fff181e9ed11048528bfc8416dc9

SHA256
76d844ad5a18a631130d90d0e8f7810a1f0c6569915938e5f4075c8515241bb1

SHA512
c7e3c9cead3560c19b63ac5b541ea05c986572ac3d66b52f52b677b19abf8c7e94895811149b61ec86050dc36e31275824983be676ec7e98f83c8bd382514df7

Download Submit
C:\Windows\SysWOW64\iehkwubcnpyncsu.exe

Filesize
348KB

MD5
8e374806dbf646fad0a3a7f1bda91655

SHA1
2b9785a9f418f2de788e96bb5b24a03828bc5821

SHA256
5ef0d1560db02a87b420a855d8909b9cfb8494c221fe63e042d16b41ed823534

SHA512
f1d843a2eb445b40347386b3773e84afb9ab7a280b299bc60787ae2d1a08b0be4def13bd6cbafad6efbf45be42a174d5ddcfc2bf6a334084d52bde21a7bbf5ba

Download Submit
C:\Windows\SysWOW64\iehkwubcnpyncsu.exe

Filesize
468KB

MD5
81e5a1625b3609697f3dcf79d4a09a3f

SHA1
db44469c9af062e42974f5a9beb61917c1f0f558

SHA256
bd84f42b994a6683789e51cf66564ef12935f96753d5b5d81290cb2d2dacd4c5

SHA512
16f599d7de5a0f9aae5010edcbad6b0e93dac8a439654688e9ad5948d7b65db257a6066d7c93b70812c9caaa3486bd643d134d7c1ed5cb89cfe91a749c4d65d1

Download Submit
C:\Windows\SysWOW64\vkzvkymvkb.exe

Filesize
327KB

MD5
8b66f03f7c3d1c8dc61c39a079eccb08

SHA1
03844e09bb593a62e267ac039814fe8acb97d92b

SHA256
308e8ce05d6745f3252cdb4e446a2c645f3ae369f02d14978350af154a262588

SHA512
67532852111dde424007a720b5f58de75f7238977836ec2dc05c951de9e8b42ce36b678188130e2f79e6cdd1b432055b26ba1075eac6cbbdb105727b1be462cf

Download Submit
C:\Windows\SysWOW64\vkzvkymvkb.exe

Filesize
258KB

MD5
eaf897e26cf32df7e291b7637913ac6c

SHA1
f5ccff04224ea5e74a81d075f681359367e13f75

SHA256
8fa36843be47b32c14b566ba8ffd9a151729d359fea5ae81eeaba21e7f2b5317

SHA512
c7e8bc2088aab7e2b4e359fe804631b3f2952651b4965f7b7a097dac1f59c33c5a4a4081eac6c230b6a2030acbe29d0a6eb5734c22e54fd7a39dabc7ea4aa05c

Download Submit
C:\Windows\SysWOW64\vsyisegz.exe

Filesize
311KB

MD5
13acbb89fb2223f2dac9d67cfa2fdfe0

SHA1
2f95dd81f3fd0e0e73bdb01c60c34627a2e0159c

SHA256
80391c5483292047fbb4ddda319761920a8e83ce92d567cdb76a7167a601c1d1

SHA512
250c92021b9f85690eeed696ee8f49b4135f670d5afe969dca87ea92e0d9636cbafeed117e25cac4a9f9598bfe1ee629dbc61b78f9bdbd9007bfe97f90d04809

Download Submit
C:\Windows\SysWOW64\vsyisegz.exe

Filesize
296KB

MD5
974593a8376a2ac0320fca8e59e6c352

SHA1
13f337295652270b0a4031ee85575abdce3ca33b

SHA256
508d10464159158d24cca450edbb2607b280b3247b7b61b33125c4752412b353

SHA512
42d3f2572461d6f5426e683fee649b0b5828d5f3f751632b9a67d6b97b714aeda82362da144e44b92ac6bf3967da17d9ee162527a0472821bf2386c9c12b259c

Download Submit
C:\Windows\SysWOW64\vsyisegz.exe

Filesize
281KB

MD5
dadb5950258811302b622d2d9648e5f1

SHA1
3785e6adfa31c1fadda33bfb6647637b14458124

SHA256
a97df5e630d344c10c19b60963d53eeb46ebeeeacb478f9ac4aafc5394662b23

SHA512
18506fbd19949062dd82466f6e87794eb46818898f2b7d38d60d0f917883fac2807cd4fd8379e7aec706f9919ba6ad2b8fb4abc35c89abb255274a9f4da0c340

Download Submit
C:\Windows\SysWOW64\zriuhowwluuqg.exe

Filesize
271KB

MD5
7be98e559c4ab644958305575fe63039

SHA1
2766bb82da5e07c476baf61ca73dd49b1a953783

SHA256
4ee66a2cc25d8de7d718e7b4783577d51de9eef3f0a5181f605d37469f88391d

SHA512
124021be31241d4a347318fe85f1de9334467bfa513245e881ea9e61d2987e47f5fa1b436a87684359170cfa76d34b968462c734efaf3a31a6761c048ee2773c

Download Submit
C:\Windows\SysWOW64\zriuhowwluuqg.exe

Filesize
339KB

MD5
f0fb502c9c171483cd917963d74fa227

SHA1
9bc77798899bf72990b8bf4eb1472fbf5661af65

SHA256
578c7ae100b19993d66a8510cf839b29e1950a8fcb303ad703cc51e53b6eef22

SHA512
bcdf329ed53e033dd603ab9c0b6dbaae88940bd7e939036de880d668efd5245c42ccd71bd07d9c68a6df56f748a2f60269e56ea383e923d28272ed615a92a6a6

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\iehkwubcnpyncsu.exe

Filesize
295KB

MD5
35803a61167dad42be7dcb4e4e1bc9d9

SHA1
0db8d93f07e3c24b41f7354b97b9f31f846ff4e0

SHA256
28bbcbc3a2a2c21fcaab3ba111e2b8972131be3b4bbdc8ea7e1512448d19564a

SHA512
5e22d604d5d9881b9565fe02fe750126a667031a9151c8e561b3d163a70544c372b891f952021b1e806fba6369a89e826cf5a4570d36bd1baaa4588fbf8915f3

Download Submit
\Windows\SysWOW64\vkzvkymvkb.exe

Filesize
382KB

MD5
6b092ae626d47dd169000db8a0c8e9d7

SHA1
b7307344e0c82b036d46c834b6aac177bd71c003

SHA256
a301ae77e50bc8a51fc431faebf651b0e8d4c0f435d39dcebc99ab6a13b22e11

SHA512
8fd4ad8edd88d1a0cdee4945b61f827c4cc527d995acd49b396e00dab12a4a2d4d18eec439265f38039ee5f9080bd25e4b0672f76854527cc8ac64b180e65e27

Download Submit
\Windows\SysWOW64\vsyisegz.exe

Filesize
323KB

MD5
173978edf5ced70a52e0d4c84e5d9f65

SHA1
8a341eb704bd1d9acefc3cd0c9b4ef99f72628f8

SHA256
30a3a435d82ba29ccbceb0d03cf8b412a9efb3bf3c67f0136d610ee3239bf294

SHA512
54de3416d77c87044956b136552b6331ca0cd3af26ca131b720633a98ce308e48515036cc4cbc54f13006672cc5a3d0617505c19fa2886b4177acecfde9204f9

Download Submit
\Windows\SysWOW64\vsyisegz.exe

Filesize
279KB

MD5
ff3ea0b3514a365b20f80de23a890136

SHA1
1f2e3a3aa0a732fccff1fd91a8a05efbcf74553c

SHA256
3b8df001f3ad779edee36c1e89b89c92c8b9ad69223ef96bcf896d806beb09dc

SHA512
1a839a36d4dc4f2ddfa112b5d507489a47c199c7b8221c5c39a0feab0968e94b0a4152b94b157ddcf2aa97108337ff5459a24c116d4f72a795f2c8d35b772927

Download Submit
\Windows\SysWOW64\zriuhowwluuqg.exe

Filesize
209KB

MD5
fc899942813fd04f86a8915d05f3f7ee

SHA1
a3de0d9bcdc3deb91a3516888359716c0780be5b

SHA256
da7cba56648abdb7b5aff432d3d56a70acf2f2fa91c56a98b1963791214ce9be

SHA512
f3fde337caa746d891e8c3275a2ff6353cab2772d2eac6a5fbc85548543443830dd5cf95c7c5b4648685d2752f40a3d9a534cbd853823c802417bfbec9855c61

Download Submit
memory/2372-45-0x000000002FA51000-0x000000002FA52000-memory.dmp

Filesize
4KB

Download
memory/2372-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2372-47-0x00000000716BD000-0x00000000716C8000-memory.dmp

Filesize
44KB

Download
memory/2372-80-0x00000000716BD000-0x00000000716C8000-memory.dmp

Filesize
44KB

Download
memory/2372-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2428-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download