c1a0690dfbdfa9a48eaa977809e214981c5bcbbf89ba85f2092cecf0e898f78e

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a18506b622dbef775f88d8a8d3446d8b.exe
Size

512KB
MD5

a18506b622dbef775f88d8a8d3446d8b
SHA1

86bd3d2ebfc928f2fb053c3a9e4765176f9b3a8c
SHA256

c1a0690dfbdfa9a48eaa977809e214981c5bcbbf89ba85f2092cecf0e898f78e
SHA512

3e4f2e25c7780052d527fc285b31ce759b04a4f078a7ff4e4f2c2af6d50af05bb1f0d4e48995b15e30656a5a64ecc58bd56bfe31a6cef78ff70e926dd960f835
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6A:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	efdsrbqrvk.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	efdsrbqrvk.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	efdsrbqrvk.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	efdsrbqrvk.exe

Executes dropped EXE 6 IoCs

pid	Process
2164	efdsrbqrvk.exe
2332	gjmakelomawfxxz.exe
2744	eixlwgsp.exe
2728	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe

Loads dropped DLL 6 IoCs

pid	Process
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2720	cmd.exe
2164	efdsrbqrvk.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	efdsrbqrvk.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ltsclris = "efdsrbqrvk.exe"	gjmakelomawfxxz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\omhkdcrw = "gjmakelomawfxxz.exe"	gjmakelomawfxxz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kbmhhlbbqwydx.exe"	gjmakelomawfxxz.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	eixlwgsp.exe
File opened (read-only)	\??\s:	efdsrbqrvk.exe
File opened (read-only)	\??\j:	eixlwgsp.exe
File opened (read-only)	\??\r:	eixlwgsp.exe
File opened (read-only)	\??\z:	eixlwgsp.exe
File opened (read-only)	\??\a:	eixlwgsp.exe
File opened (read-only)	\??\h:	eixlwgsp.exe
File opened (read-only)	\??\a:	efdsrbqrvk.exe
File opened (read-only)	\??\i:	eixlwgsp.exe
File opened (read-only)	\??\z:	efdsrbqrvk.exe
File opened (read-only)	\??\s:	eixlwgsp.exe
File opened (read-only)	\??\b:	efdsrbqrvk.exe
File opened (read-only)	\??\x:	efdsrbqrvk.exe
File opened (read-only)	\??\k:	eixlwgsp.exe
File opened (read-only)	\??\s:	eixlwgsp.exe
File opened (read-only)	\??\t:	eixlwgsp.exe
File opened (read-only)	\??\p:	efdsrbqrvk.exe
File opened (read-only)	\??\e:	eixlwgsp.exe
File opened (read-only)	\??\i:	eixlwgsp.exe
File opened (read-only)	\??\k:	eixlwgsp.exe
File opened (read-only)	\??\q:	eixlwgsp.exe
File opened (read-only)	\??\k:	efdsrbqrvk.exe
File opened (read-only)	\??\l:	efdsrbqrvk.exe
File opened (read-only)	\??\m:	efdsrbqrvk.exe
File opened (read-only)	\??\o:	eixlwgsp.exe
File opened (read-only)	\??\l:	eixlwgsp.exe
File opened (read-only)	\??\i:	efdsrbqrvk.exe
File opened (read-only)	\??\m:	eixlwgsp.exe
File opened (read-only)	\??\y:	eixlwgsp.exe
File opened (read-only)	\??\b:	eixlwgsp.exe
File opened (read-only)	\??\r:	efdsrbqrvk.exe
File opened (read-only)	\??\w:	efdsrbqrvk.exe
File opened (read-only)	\??\v:	eixlwgsp.exe
File opened (read-only)	\??\x:	eixlwgsp.exe
File opened (read-only)	\??\m:	eixlwgsp.exe
File opened (read-only)	\??\g:	efdsrbqrvk.exe
File opened (read-only)	\??\o:	efdsrbqrvk.exe
File opened (read-only)	\??\g:	eixlwgsp.exe
File opened (read-only)	\??\j:	eixlwgsp.exe
File opened (read-only)	\??\r:	eixlwgsp.exe
File opened (read-only)	\??\y:	eixlwgsp.exe
File opened (read-only)	\??\e:	efdsrbqrvk.exe
File opened (read-only)	\??\t:	efdsrbqrvk.exe
File opened (read-only)	\??\l:	eixlwgsp.exe
File opened (read-only)	\??\t:	eixlwgsp.exe
File opened (read-only)	\??\g:	eixlwgsp.exe
File opened (read-only)	\??\u:	eixlwgsp.exe
File opened (read-only)	\??\z:	eixlwgsp.exe
File opened (read-only)	\??\u:	efdsrbqrvk.exe
File opened (read-only)	\??\u:	eixlwgsp.exe
File opened (read-only)	\??\w:	eixlwgsp.exe
File opened (read-only)	\??\w:	eixlwgsp.exe
File opened (read-only)	\??\j:	efdsrbqrvk.exe
File opened (read-only)	\??\n:	efdsrbqrvk.exe
File opened (read-only)	\??\a:	eixlwgsp.exe
File opened (read-only)	\??\b:	eixlwgsp.exe
File opened (read-only)	\??\q:	eixlwgsp.exe
File opened (read-only)	\??\p:	eixlwgsp.exe
File opened (read-only)	\??\x:	eixlwgsp.exe
File opened (read-only)	\??\h:	efdsrbqrvk.exe
File opened (read-only)	\??\q:	efdsrbqrvk.exe
File opened (read-only)	\??\v:	efdsrbqrvk.exe
File opened (read-only)	\??\e:	eixlwgsp.exe
File opened (read-only)	\??\n:	eixlwgsp.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	efdsrbqrvk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	efdsrbqrvk.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000c000000012242-20.dat	autoit_exe
behavioral1/files/0x000c000000012242-26.dat	autoit_exe
behavioral1/files/0x0022000000014e4c-34.dat	autoit_exe
behavioral1/files/0x0022000000014e4c-28.dat	autoit_exe
behavioral1/files/0x000d00000001233d-25.dat	autoit_exe
behavioral1/files/0x0006000000016c45-75.dat	autoit_exe
behavioral1/files/0x0006000000016a93-69.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\efdsrbqrvk.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File opened for modification	C:\Windows\SysWOW64\efdsrbqrvk.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File opened for modification	C:\Windows\SysWOW64\eixlwgsp.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File created	C:\Windows\SysWOW64\kbmhhlbbqwydx.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	efdsrbqrvk.exe
File created	C:\Windows\SysWOW64\gjmakelomawfxxz.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File opened for modification	C:\Windows\SysWOW64\gjmakelomawfxxz.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File created	C:\Windows\SysWOW64\eixlwgsp.exe	a18506b622dbef775f88d8a8d3446d8b.exe
File opened for modification	C:\Windows\SysWOW64\kbmhhlbbqwydx.exe	a18506b622dbef775f88d8a8d3446d8b.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	eixlwgsp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	eixlwgsp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eixlwgsp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eixlwgsp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eixlwgsp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	eixlwgsp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eixlwgsp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eixlwgsp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eixlwgsp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	a18506b622dbef775f88d8a8d3446d8b.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	a18506b622dbef775f88d8a8d3446d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	efdsrbqrvk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD68B1FF6721DBD27CD1D38A099010"	a18506b622dbef775f88d8a8d3446d8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	efdsrbqrvk.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	efdsrbqrvk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	efdsrbqrvk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFAFFFC482D85199130D72B7D97BDEFE6335840664E6343D69C"	a18506b622dbef775f88d8a8d3446d8b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2608	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2332	gjmakelomawfxxz.exe
2620	eixlwgsp.exe
2620	eixlwgsp.exe
2620	eixlwgsp.exe
2620	eixlwgsp.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2332	gjmakelomawfxxz.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2332	gjmakelomawfxxz.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2332	gjmakelomawfxxz.exe
2900	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2332	gjmakelomawfxxz.exe
2900	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2332	gjmakelomawfxxz.exe
2728	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2900	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe
2900	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe
2900	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe
2900	kbmhhlbbqwydx.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2256	a18506b622dbef775f88d8a8d3446d8b.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2164	efdsrbqrvk.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2332	gjmakelomawfxxz.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2744	eixlwgsp.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2728	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe
2900	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe
2900	kbmhhlbbqwydx.exe
2620	eixlwgsp.exe
2900	kbmhhlbbqwydx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2164	2256	a18506b622dbef775f88d8a8d3446d8b.exe	26
PID 2256 wrote to memory of 2164	2256	a18506b622dbef775f88d8a8d3446d8b.exe	26
PID 2256 wrote to memory of 2164	2256	a18506b622dbef775f88d8a8d3446d8b.exe	26
PID 2256 wrote to memory of 2164	2256	a18506b622dbef775f88d8a8d3446d8b.exe	26
PID 2256 wrote to memory of 2332	2256	a18506b622dbef775f88d8a8d3446d8b.exe	25
PID 2256 wrote to memory of 2332	2256	a18506b622dbef775f88d8a8d3446d8b.exe	25
PID 2256 wrote to memory of 2332	2256	a18506b622dbef775f88d8a8d3446d8b.exe	25
PID 2256 wrote to memory of 2332	2256	a18506b622dbef775f88d8a8d3446d8b.exe	25
PID 2256 wrote to memory of 2744	2256	a18506b622dbef775f88d8a8d3446d8b.exe	24
PID 2256 wrote to memory of 2744	2256	a18506b622dbef775f88d8a8d3446d8b.exe	24
PID 2256 wrote to memory of 2744	2256	a18506b622dbef775f88d8a8d3446d8b.exe	24
PID 2256 wrote to memory of 2744	2256	a18506b622dbef775f88d8a8d3446d8b.exe	24
PID 2332 wrote to memory of 2720	2332	gjmakelomawfxxz.exe	23
PID 2332 wrote to memory of 2720	2332	gjmakelomawfxxz.exe	23
PID 2332 wrote to memory of 2720	2332	gjmakelomawfxxz.exe	23
PID 2332 wrote to memory of 2720	2332	gjmakelomawfxxz.exe	23
PID 2256 wrote to memory of 2728	2256	a18506b622dbef775f88d8a8d3446d8b.exe	22
PID 2256 wrote to memory of 2728	2256	a18506b622dbef775f88d8a8d3446d8b.exe	22
PID 2256 wrote to memory of 2728	2256	a18506b622dbef775f88d8a8d3446d8b.exe	22
PID 2256 wrote to memory of 2728	2256	a18506b622dbef775f88d8a8d3446d8b.exe	22
PID 2720 wrote to memory of 2900	2720	cmd.exe	19
PID 2720 wrote to memory of 2900	2720	cmd.exe	19
PID 2720 wrote to memory of 2900	2720	cmd.exe	19
PID 2720 wrote to memory of 2900	2720	cmd.exe	19
PID 2164 wrote to memory of 2620	2164	efdsrbqrvk.exe	17
PID 2164 wrote to memory of 2620	2164	efdsrbqrvk.exe	17
PID 2164 wrote to memory of 2620	2164	efdsrbqrvk.exe	17
PID 2164 wrote to memory of 2620	2164	efdsrbqrvk.exe	17
PID 2256 wrote to memory of 2608	2256	a18506b622dbef775f88d8a8d3446d8b.exe	16
PID 2256 wrote to memory of 2608	2256	a18506b622dbef775f88d8a8d3446d8b.exe	16
PID 2256 wrote to memory of 2608	2256	a18506b622dbef775f88d8a8d3446d8b.exe	16
PID 2256 wrote to memory of 2608	2256	a18506b622dbef775f88d8a8d3446d8b.exe	16
PID 2608 wrote to memory of 1524	2608	WINWORD.EXE	39
PID 2608 wrote to memory of 1524	2608	WINWORD.EXE	39
PID 2608 wrote to memory of 1524	2608	WINWORD.EXE	39
PID 2608 wrote to memory of 1524	2608	WINWORD.EXE	39

C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b.exe
"C:\Users\Admin\AppData\Local\Temp\a18506b622dbef775f88d8a8d3446d8b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1524
- C:\Windows\SysWOW64\kbmhhlbbqwydx.exe
  kbmhhlbbqwydx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2728
- C:\Windows\SysWOW64\eixlwgsp.exe
  eixlwgsp.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2744
- C:\Windows\SysWOW64\gjmakelomawfxxz.exe
  gjmakelomawfxxz.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2332
- C:\Windows\SysWOW64\efdsrbqrvk.exe
  efdsrbqrvk.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2164

C:\Windows\SysWOW64\eixlwgsp.exe
C:\Windows\system32\eixlwgsp.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\Windows\SysWOW64\kbmhhlbbqwydx.exe
kbmhhlbbqwydx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2900

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c kbmhhlbbqwydx.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
cf0a37bbce4a1beed9e7f34171b9f731

SHA1
945422f1013d704f1e10172f7949dd716e449699

SHA256
48242553c443e077f2879dff12629c067f25e396dee60390c381e1c56fb1d264

SHA512
eb8c0d4760b7b61d8a10baf84f89c03e980db830a0092a7024ff3b0660f192a0a010353ae831c460e3a0eadb53f6e7a5a2704a34cb6a7322038b526c528e8e01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
738f85bb605683bd123209ebceea1a51

SHA1
89645fbe8447e4a2a19106e0cebc87d77453b2ed

SHA256
705aca4f8218e10b8793d5e2461acbe10531f0e97faf027889f6b4a21937ba5b

SHA512
406c2356e96e4df828d2e6b8abe8292df8f9ef2adaedef9361793d81f1486d2cab48577133ee78fdae43dc95aa6706ccf2f13b1e07df1bbb054538779a304fea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
6d0fda498b0e105cf47f3096de25754d

SHA1
fdd413d601ae9591c8731cda4f2234db5ee5ea31

SHA256
bf24382eb00eb8847cfcdd3f8ad2a377fc6e7a61063af081959b19ed0e410582

SHA512
226a7eac5515bcb586f4276102039d6fab8cfb2f733c646e2e596249d48cab5ea3f9f8d0918d320eb113ba392a7269662ef6d95cdd3b67a1dd876b2fb438962d

Download Submit
C:\Windows\SysWOW64\efdsrbqrvk.exe

Filesize
512KB

MD5
f0c26efaca069b6cf81d1151bec7d2e7

SHA1
b338da14c676644ccb643e719f5ec280ce60ba25

SHA256
c5f030183d9957d25545ff6823cbe67c4793ebb139f9d3f9a5b83d635beefeac

SHA512
fcbc23fece41de487277f3c0503807a1eb7be77daab5e9934b322581a82c05bf739c1bd602facf80c98f6dbc4af0118078bdf68423206561793866ae35239ac8

Download Submit
C:\Windows\SysWOW64\efdsrbqrvk.exe

Filesize
92KB

MD5
59ebf1358a9b829f5709baaedeeee6fa

SHA1
1409fd65da1b814db0a08feae54366dfca196f1c

SHA256
d251f3126813d9f42461b0d23153c37c405979347a47fb0f04e0503beaf31a06

SHA512
a2d71b94a087aa6d376f4f065d9f7ff987fd50ea93949372fa9ef5b6692b45cef7ae267c88376b9d2953e4476496f67af1173e9f0f8ba81101dc94c6872cf417

Download Submit
C:\Windows\SysWOW64\gjmakelomawfxxz.exe

Filesize
512KB

MD5
dcad18163042b6bf14d80b8a1a391ba8

SHA1
b5d37e69627312c93517eb1de36e86d020979655

SHA256
9ebc7b28994a40d3d9576f09edca7f96d3f2eec6123077a29893ffd54d76d284

SHA512
fb4b6a837e92e64240e2d8cfc255f2cf62721edb67033e8f435f6207cba6aaa34f1bcde6a32550803afd936bfd6be8c7f687e26e9922791313f9e2ff329a750e

Download Submit
\Windows\SysWOW64\eixlwgsp.exe

Filesize
381KB

MD5
30aec9e0b33fbd99234328357879f812

SHA1
3c9d37139d4ccfe2b694afba9633170d0f510a92

SHA256
15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

SHA512
2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

Download Submit
memory/2256-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2608-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2608-50-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Filesize
44KB

Download
memory/2608-82-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Filesize
44KB

Download
memory/2608-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2608-48-0x000000002F351000-0x000000002F352000-memory.dmp

Filesize
4KB

Download