caf8e784f7a32ab970dc20feb31848377f4705fd4c093a96123fcdd948be8e4a

Analysis

max time kernel
151s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 14:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

15ab0a725fb6a659909cc1faf2600910.exe
Size

512KB
MD5

15ab0a725fb6a659909cc1faf2600910
SHA1

c7522e69040c0780f297937cd7c70a91fa44fc3e
SHA256

caf8e784f7a32ab970dc20feb31848377f4705fd4c093a96123fcdd948be8e4a
SHA512

3adfc2caaa45030e8346c01e8b791f541fb4f663c82d7ea33d72dfa477f355cbc82fb9fa5bbbae857882668930a4615eba245ad2b34583d05cd4208815423412
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6W:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5r

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nekmsqrtlz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nekmsqrtlz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nekmsqrtlz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nekmsqrtlz.exe

Executes dropped EXE 5 IoCs

pid	Process
2852	nekmsqrtlz.exe
2928	uqiteqhuxeupjry.exe
2716	fayxveoq.exe
2608	jwzxrlahkwkqd.exe
2596	fayxveoq.exe

Loads dropped DLL 6 IoCs

pid	Process
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2904	cmd.exe
2852	nekmsqrtlz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nekmsqrtlz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dnzaiddp = "nekmsqrtlz.exe"	uqiteqhuxeupjry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\asqfveok = "uqiteqhuxeupjry.exe"	uqiteqhuxeupjry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jwzxrlahkwkqd.exe"	uqiteqhuxeupjry.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	fayxveoq.exe
File opened (read-only)	\??\a:	nekmsqrtlz.exe
File opened (read-only)	\??\r:	fayxveoq.exe
File opened (read-only)	\??\m:	nekmsqrtlz.exe
File opened (read-only)	\??\i:	fayxveoq.exe
File opened (read-only)	\??\s:	fayxveoq.exe
File opened (read-only)	\??\w:	fayxveoq.exe
File opened (read-only)	\??\z:	fayxveoq.exe
File opened (read-only)	\??\i:	fayxveoq.exe
File opened (read-only)	\??\p:	fayxveoq.exe
File opened (read-only)	\??\e:	nekmsqrtlz.exe
File opened (read-only)	\??\h:	nekmsqrtlz.exe
File opened (read-only)	\??\y:	fayxveoq.exe
File opened (read-only)	\??\u:	nekmsqrtlz.exe
File opened (read-only)	\??\z:	nekmsqrtlz.exe
File opened (read-only)	\??\a:	fayxveoq.exe
File opened (read-only)	\??\k:	fayxveoq.exe
File opened (read-only)	\??\r:	fayxveoq.exe
File opened (read-only)	\??\x:	fayxveoq.exe
File opened (read-only)	\??\v:	fayxveoq.exe
File opened (read-only)	\??\g:	fayxveoq.exe
File opened (read-only)	\??\m:	fayxveoq.exe
File opened (read-only)	\??\q:	fayxveoq.exe
File opened (read-only)	\??\t:	fayxveoq.exe
File opened (read-only)	\??\v:	fayxveoq.exe
File opened (read-only)	\??\y:	fayxveoq.exe
File opened (read-only)	\??\k:	nekmsqrtlz.exe
File opened (read-only)	\??\o:	nekmsqrtlz.exe
File opened (read-only)	\??\u:	fayxveoq.exe
File opened (read-only)	\??\b:	fayxveoq.exe
File opened (read-only)	\??\x:	fayxveoq.exe
File opened (read-only)	\??\r:	nekmsqrtlz.exe
File opened (read-only)	\??\v:	nekmsqrtlz.exe
File opened (read-only)	\??\h:	fayxveoq.exe
File opened (read-only)	\??\j:	fayxveoq.exe
File opened (read-only)	\??\b:	fayxveoq.exe
File opened (read-only)	\??\m:	fayxveoq.exe
File opened (read-only)	\??\n:	fayxveoq.exe
File opened (read-only)	\??\t:	fayxveoq.exe
File opened (read-only)	\??\z:	fayxveoq.exe
File opened (read-only)	\??\n:	nekmsqrtlz.exe
File opened (read-only)	\??\x:	nekmsqrtlz.exe
File opened (read-only)	\??\l:	fayxveoq.exe
File opened (read-only)	\??\o:	fayxveoq.exe
File opened (read-only)	\??\l:	fayxveoq.exe
File opened (read-only)	\??\o:	fayxveoq.exe
File opened (read-only)	\??\t:	nekmsqrtlz.exe
File opened (read-only)	\??\w:	nekmsqrtlz.exe
File opened (read-only)	\??\h:	fayxveoq.exe
File opened (read-only)	\??\k:	fayxveoq.exe
File opened (read-only)	\??\q:	fayxveoq.exe
File opened (read-only)	\??\g:	nekmsqrtlz.exe
File opened (read-only)	\??\j:	nekmsqrtlz.exe
File opened (read-only)	\??\l:	nekmsqrtlz.exe
File opened (read-only)	\??\e:	fayxveoq.exe
File opened (read-only)	\??\p:	nekmsqrtlz.exe
File opened (read-only)	\??\y:	nekmsqrtlz.exe
File opened (read-only)	\??\g:	fayxveoq.exe
File opened (read-only)	\??\b:	nekmsqrtlz.exe
File opened (read-only)	\??\q:	nekmsqrtlz.exe
File opened (read-only)	\??\j:	fayxveoq.exe
File opened (read-only)	\??\u:	fayxveoq.exe
File opened (read-only)	\??\i:	nekmsqrtlz.exe
File opened (read-only)	\??\n:	fayxveoq.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	nekmsqrtlz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	nekmsqrtlz.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000a000000012247-5.dat	autoit_exe
behavioral1/files/0x000800000001223a-17.dat	autoit_exe
behavioral1/files/0x000800000001223a-19.dat	autoit_exe
behavioral1/files/0x000a000000012247-26.dat	autoit_exe
behavioral1/files/0x002d00000001480f-28.dat	autoit_exe
behavioral1/files/0x002d00000001480f-31.dat	autoit_exe
behavioral1/files/0x0006000000016d58-67.dat	autoit_exe
behavioral1/files/0x0006000000016d5d-73.dat	autoit_exe
behavioral1/files/0x0006000000016fba-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\uqiteqhuxeupjry.exe	15ab0a725fb6a659909cc1faf2600910.exe
File created	C:\Windows\SysWOW64\fayxveoq.exe	15ab0a725fb6a659909cc1faf2600910.exe
File opened for modification	C:\Windows\SysWOW64\fayxveoq.exe	15ab0a725fb6a659909cc1faf2600910.exe
File created	C:\Windows\SysWOW64\nekmsqrtlz.exe	15ab0a725fb6a659909cc1faf2600910.exe
File opened for modification	C:\Windows\SysWOW64\nekmsqrtlz.exe	15ab0a725fb6a659909cc1faf2600910.exe
File opened for modification	C:\Windows\SysWOW64\uqiteqhuxeupjry.exe	15ab0a725fb6a659909cc1faf2600910.exe
File created	C:\Windows\SysWOW64\jwzxrlahkwkqd.exe	15ab0a725fb6a659909cc1faf2600910.exe
File opened for modification	C:\Windows\SysWOW64\jwzxrlahkwkqd.exe	15ab0a725fb6a659909cc1faf2600910.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	nekmsqrtlz.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	fayxveoq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fayxveoq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fayxveoq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fayxveoq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fayxveoq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	fayxveoq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	fayxveoq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	fayxveoq.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	15ab0a725fb6a659909cc1faf2600910.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	nekmsqrtlz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	15ab0a725fb6a659909cc1faf2600910.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	nekmsqrtlz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F56BC2FF6E21D9D279D0D18A7D906A"	15ab0a725fb6a659909cc1faf2600910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	nekmsqrtlz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	nekmsqrtlz.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7D9C2283526D3F77D177242DDA7D8265AA"	15ab0a725fb6a659909cc1faf2600910.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	nekmsqrtlz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1936	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2596	fayxveoq.exe
2596	fayxveoq.exe
2596	fayxveoq.exe
2596	fayxveoq.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2928	uqiteqhuxeupjry.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2596	fayxveoq.exe
2596	fayxveoq.exe
2596	fayxveoq.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2040	15ab0a725fb6a659909cc1faf2600910.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2852	nekmsqrtlz.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2928	uqiteqhuxeupjry.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2716	fayxveoq.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2608	jwzxrlahkwkqd.exe
2596	fayxveoq.exe
2596	fayxveoq.exe
2596	fayxveoq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1936	WINWORD.EXE
1936	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2852	2040	15ab0a725fb6a659909cc1faf2600910.exe	28
PID 2040 wrote to memory of 2852	2040	15ab0a725fb6a659909cc1faf2600910.exe	28
PID 2040 wrote to memory of 2852	2040	15ab0a725fb6a659909cc1faf2600910.exe	28
PID 2040 wrote to memory of 2852	2040	15ab0a725fb6a659909cc1faf2600910.exe	28
PID 2040 wrote to memory of 2928	2040	15ab0a725fb6a659909cc1faf2600910.exe	36
PID 2040 wrote to memory of 2928	2040	15ab0a725fb6a659909cc1faf2600910.exe	36
PID 2040 wrote to memory of 2928	2040	15ab0a725fb6a659909cc1faf2600910.exe	36
PID 2040 wrote to memory of 2928	2040	15ab0a725fb6a659909cc1faf2600910.exe	36
PID 2040 wrote to memory of 2716	2040	15ab0a725fb6a659909cc1faf2600910.exe	35
PID 2040 wrote to memory of 2716	2040	15ab0a725fb6a659909cc1faf2600910.exe	35
PID 2040 wrote to memory of 2716	2040	15ab0a725fb6a659909cc1faf2600910.exe	35
PID 2040 wrote to memory of 2716	2040	15ab0a725fb6a659909cc1faf2600910.exe	35
PID 2928 wrote to memory of 2904	2928	uqiteqhuxeupjry.exe	34
PID 2928 wrote to memory of 2904	2928	uqiteqhuxeupjry.exe	34
PID 2928 wrote to memory of 2904	2928	uqiteqhuxeupjry.exe	34
PID 2928 wrote to memory of 2904	2928	uqiteqhuxeupjry.exe	34
PID 2040 wrote to memory of 2608	2040	15ab0a725fb6a659909cc1faf2600910.exe	33
PID 2040 wrote to memory of 2608	2040	15ab0a725fb6a659909cc1faf2600910.exe	33
PID 2040 wrote to memory of 2608	2040	15ab0a725fb6a659909cc1faf2600910.exe	33
PID 2040 wrote to memory of 2608	2040	15ab0a725fb6a659909cc1faf2600910.exe	33
PID 2852 wrote to memory of 2596	2852	nekmsqrtlz.exe	29
PID 2852 wrote to memory of 2596	2852	nekmsqrtlz.exe	29
PID 2852 wrote to memory of 2596	2852	nekmsqrtlz.exe	29
PID 2852 wrote to memory of 2596	2852	nekmsqrtlz.exe	29
PID 2040 wrote to memory of 1936	2040	15ab0a725fb6a659909cc1faf2600910.exe	31
PID 2040 wrote to memory of 1936	2040	15ab0a725fb6a659909cc1faf2600910.exe	31
PID 2040 wrote to memory of 1936	2040	15ab0a725fb6a659909cc1faf2600910.exe	31
PID 2040 wrote to memory of 1936	2040	15ab0a725fb6a659909cc1faf2600910.exe	31
PID 1936 wrote to memory of 2944	1936	WINWORD.EXE	39
PID 1936 wrote to memory of 2944	1936	WINWORD.EXE	39
PID 1936 wrote to memory of 2944	1936	WINWORD.EXE	39
PID 1936 wrote to memory of 2944	1936	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\15ab0a725fb6a659909cc1faf2600910.exe
"C:\Users\Admin\AppData\Local\Temp\15ab0a725fb6a659909cc1faf2600910.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\nekmsqrtlz.exe
  nekmsqrtlz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\fayxveoq.exe
    C:\Windows\system32\fayxveoq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2596
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2944
- C:\Windows\SysWOW64\jwzxrlahkwkqd.exe
  jwzxrlahkwkqd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2608
- C:\Windows\SysWOW64\fayxveoq.exe
  fayxveoq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2716
- C:\Windows\SysWOW64\uqiteqhuxeupjry.exe
  uqiteqhuxeupjry.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2928

C:\Windows\SysWOW64\jwzxrlahkwkqd.exe
jwzxrlahkwkqd.exe
1⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c jwzxrlahkwkqd.exe
1⤵
- Loads dropped DLL
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
f96ad6b7b579c7c7164467aa9bb842a9

SHA1
34329a2a9076857e9e3c70252dfea3f7bcb51853

SHA256
7de112a71923e641f31e7a6b0fd9114a5946dceffc6d87fd9c860b6abac17ced

SHA512
7368f00f1f6d3a0cb1991718e4ff887b3ca7282dfdff6c350d0a28de19db4a9b82a324cf58b809d92aae6c3d0533c313ff2f0c1e45fac9d314f649dbe3d40482

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
124a8e4095b86399bf59041d090ea887

SHA1
5f0cf8c6bd88e3e38bcb95b8d4c46f19afb90ef7

SHA256
08f53cb7b9ea2f94f04401bab4dc4da0a1b2dcff25ed7b26350d908f6745a6c8

SHA512
db33258c7862ad0859bae3f31006c5d08428c381c5105546504f0d721fc6b0d5350078e69739f819bfb0f90c534eb161b9a0dd58a20149526070500a1dacc55a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
09259a234a9674cdf8e599000ea7c44b

SHA1
b5a09a97e8c9c4b11792aa8b92918d925d04877b

SHA256
e74e8aede0c04c740556f7e697555e1a79250f790cc8d1987f830a70a06cbb5e

SHA512
de06154671764cfec9e1ef8a54bcfd0d9e1678e16fbfc528b94f21a0a6e9a830d281e7b191eb46eb10f3a3154654cc2eab3c35b2dc82a3f71d23f4b302167ba0

Download Submit
C:\Users\Admin\Documents\PopUndo.doc.exe

Filesize
512KB

MD5
4f1fc19e0ca8112a281f7035040f9571

SHA1
68722ebf44ab59224d6d253d012a815be423bfe0

SHA256
ba44f7c10a0cd8d0b2f9c0aac6ecb329e11b18d8217bc933d4f1e077de87e237

SHA512
858300c7495536203059e32564e13eb5368836a4f7525192db67229e43834c03696db7d381b48ee393a1a303e3578b215398924245151c147583c37c5042fe2d

Download Submit
C:\Windows\SysWOW64\nekmsqrtlz.exe

Filesize
375KB

MD5
e1f7b6be9e636b11c3951989b87bad5b

SHA1
90f49c20dcde2672173aae81f917d38be38f37e0

SHA256
36870ea33766370dc0a510433bf11c147a565ec01bb679db97f06a725d2a0f33

SHA512
05210c877e30f9a8d1ae0afe4a8ffdeea62d4e789b2c23ad01568d7b4e6654a58ef413b3198cdf294ade860076ad65dd684f20f6a67c7360f8f981f3885d38ea

Download Submit
C:\Windows\SysWOW64\uqiteqhuxeupjry.exe

Filesize
91KB

MD5
45919c63699643c76616ebd5003d3c7f

SHA1
8b3a793ac7b62244d18fe49c548f6d0dd5f20b5a

SHA256
f2cd726bd32c1aa89c38bc0b95fd8c47873ab1ef5bc8194fd04885fd76ac9e77

SHA512
41bbabacc22a42afd857735de38345818a8caf8aa6d902181c22f30a696826adfe74ab2350ec0c124c4130b103aa4f6db290c57d13e4de9b3b5f4b1d7dfbc8bd

Download Submit
C:\Windows\SysWOW64\uqiteqhuxeupjry.exe

Filesize
512KB

MD5
aa5f0ef4a014134248ad7551878819b5

SHA1
9290ca725d41203e9470cc16eca22900ef91d37a

SHA256
35d0748e2bd15111f43d64abcd5cf562dfcd39dd416d657bd808cb47c662ba15

SHA512
ae57afe6c513ed9609e17d962835cf95f5de7fce70ffde22433d5872fb4dad188bcb7215518ab5cc86db8a518ed31e977055d0a3afb22f8e26b97a4c4b775ec3

Download Submit
\Windows\SysWOW64\fayxveoq.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
\Windows\SysWOW64\nekmsqrtlz.exe

Filesize
512KB

MD5
49df36250ce5b8b9d1c4c4f0e7f9d2cd

SHA1
0d93150af4fcd03b9306e42a02934647f535c64f

SHA256
a1c13aa59f78f997c986474efd854885c861c77a6e4bdac125cc202c86a33203

SHA512
299ee62e56b4ce2510a960bbe9c347e12a637fd97b4be160751d0e72a73d4b3d570bd4ec8e3ad011c13eadc9c23ba5f9808a234b2f543db9f60d44cc9a45b2bd

Download Submit
memory/1936-46-0x000000002F8E1000-0x000000002F8E2000-memory.dmp

Filesize
4KB

Download
memory/1936-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1936-48-0x0000000070C7D000-0x0000000070C88000-memory.dmp

Filesize
44KB

Download
memory/1936-81-0x0000000070C7D000-0x0000000070C88000-memory.dmp

Filesize
44KB

Download
memory/1936-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2040-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download