a08683608022e84f917558136d95cfce577f1941292cf14a3fceb1a9722bc10d

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
Size

512KB
MD5

4d5e6dfe78c7d6afdcd33b82ac6c93d4
SHA1

d678125310c103b686c19d8440705536b2b39d55
SHA256

a08683608022e84f917558136d95cfce577f1941292cf14a3fceb1a9722bc10d
SHA512

df1b07039b4421aec83ec4907cd47836a65dd9e98ca8dee26f0e4865c778f9443fca5414bd76737052e5f90c54342ac552e627a4de769ad2aae6609aac5d0a92
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5q

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	xtiojdexdz.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	xtiojdexdz.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xtiojdexdz.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xtiojdexdz.exe

Executes dropped EXE 5 IoCs

pid	Process
2788	xtiojdexdz.exe
2728	pulgfonxcchgkhu.exe
2896	ixgflrvl.exe
2852	drzraqhgydmpk.exe
2748	ixgflrvl.exe

Loads dropped DLL 5 IoCs

pid	Process
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2788	xtiojdexdz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	xtiojdexdz.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kiqvvtkb = "xtiojdexdz.exe"	pulgfonxcchgkhu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\irrkadkj = "pulgfonxcchgkhu.exe"	pulgfonxcchgkhu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "drzraqhgydmpk.exe"	pulgfonxcchgkhu.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	ixgflrvl.exe
File opened (read-only)	\??\o:	ixgflrvl.exe
File opened (read-only)	\??\w:	ixgflrvl.exe
File opened (read-only)	\??\b:	xtiojdexdz.exe
File opened (read-only)	\??\o:	xtiojdexdz.exe
File opened (read-only)	\??\v:	xtiojdexdz.exe
File opened (read-only)	\??\a:	ixgflrvl.exe
File opened (read-only)	\??\b:	ixgflrvl.exe
File opened (read-only)	\??\e:	ixgflrvl.exe
File opened (read-only)	\??\t:	ixgflrvl.exe
File opened (read-only)	\??\j:	xtiojdexdz.exe
File opened (read-only)	\??\k:	xtiojdexdz.exe
File opened (read-only)	\??\r:	ixgflrvl.exe
File opened (read-only)	\??\x:	xtiojdexdz.exe
File opened (read-only)	\??\k:	ixgflrvl.exe
File opened (read-only)	\??\p:	xtiojdexdz.exe
File opened (read-only)	\??\n:	ixgflrvl.exe
File opened (read-only)	\??\s:	ixgflrvl.exe
File opened (read-only)	\??\g:	xtiojdexdz.exe
File opened (read-only)	\??\h:	ixgflrvl.exe
File opened (read-only)	\??\n:	ixgflrvl.exe
File opened (read-only)	\??\g:	ixgflrvl.exe
File opened (read-only)	\??\j:	ixgflrvl.exe
File opened (read-only)	\??\i:	ixgflrvl.exe
File opened (read-only)	\??\p:	ixgflrvl.exe
File opened (read-only)	\??\y:	ixgflrvl.exe
File opened (read-only)	\??\q:	ixgflrvl.exe
File opened (read-only)	\??\x:	ixgflrvl.exe
File opened (read-only)	\??\u:	xtiojdexdz.exe
File opened (read-only)	\??\i:	ixgflrvl.exe
File opened (read-only)	\??\o:	ixgflrvl.exe
File opened (read-only)	\??\r:	ixgflrvl.exe
File opened (read-only)	\??\u:	ixgflrvl.exe
File opened (read-only)	\??\l:	xtiojdexdz.exe
File opened (read-only)	\??\t:	xtiojdexdz.exe
File opened (read-only)	\??\j:	ixgflrvl.exe
File opened (read-only)	\??\k:	ixgflrvl.exe
File opened (read-only)	\??\t:	ixgflrvl.exe
File opened (read-only)	\??\h:	xtiojdexdz.exe
File opened (read-only)	\??\e:	xtiojdexdz.exe
File opened (read-only)	\??\q:	xtiojdexdz.exe
File opened (read-only)	\??\m:	ixgflrvl.exe
File opened (read-only)	\??\e:	ixgflrvl.exe
File opened (read-only)	\??\a:	xtiojdexdz.exe
File opened (read-only)	\??\s:	ixgflrvl.exe
File opened (read-only)	\??\w:	ixgflrvl.exe
File opened (read-only)	\??\z:	xtiojdexdz.exe
File opened (read-only)	\??\b:	ixgflrvl.exe
File opened (read-only)	\??\n:	xtiojdexdz.exe
File opened (read-only)	\??\w:	xtiojdexdz.exe
File opened (read-only)	\??\g:	ixgflrvl.exe
File opened (read-only)	\??\l:	ixgflrvl.exe
File opened (read-only)	\??\u:	ixgflrvl.exe
File opened (read-only)	\??\z:	ixgflrvl.exe
File opened (read-only)	\??\h:	ixgflrvl.exe
File opened (read-only)	\??\x:	ixgflrvl.exe
File opened (read-only)	\??\s:	xtiojdexdz.exe
File opened (read-only)	\??\v:	ixgflrvl.exe
File opened (read-only)	\??\i:	xtiojdexdz.exe
File opened (read-only)	\??\r:	xtiojdexdz.exe
File opened (read-only)	\??\q:	ixgflrvl.exe
File opened (read-only)	\??\m:	ixgflrvl.exe
File opened (read-only)	\??\m:	xtiojdexdz.exe
File opened (read-only)	\??\p:	ixgflrvl.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	xtiojdexdz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	xtiojdexdz.exe

AutoIT Executable 16 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2480-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000012284-5.dat	autoit_exe
behavioral1/files/0x000c000000012252-17.dat	autoit_exe
behavioral1/files/0x000c000000012252-22.dat	autoit_exe
behavioral1/files/0x0008000000012284-23.dat	autoit_exe
behavioral1/files/0x0035000000016312-28.dat	autoit_exe
behavioral1/files/0x0008000000012284-26.dat	autoit_exe
behavioral1/files/0x0035000000016312-31.dat	autoit_exe
behavioral1/files/0x0007000000016af5-35.dat	autoit_exe
behavioral1/files/0x0035000000016312-34.dat	autoit_exe
behavioral1/files/0x0008000000012284-33.dat	autoit_exe
behavioral1/files/0x0007000000016af5-39.dat	autoit_exe
behavioral1/files/0x0035000000016312-42.dat	autoit_exe
behavioral1/files/0x0035000000016312-41.dat	autoit_exe
behavioral1/files/0x0007000000016af5-44.dat	autoit_exe
behavioral1/files/0x0006000000018b06-70.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\xtiojdexdz.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File opened for modification	C:\Windows\SysWOW64\pulgfonxcchgkhu.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File opened for modification	C:\Windows\SysWOW64\ixgflrvl.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File created	C:\Windows\SysWOW64\drzraqhgydmpk.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File opened for modification	C:\Windows\SysWOW64\drzraqhgydmpk.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	xtiojdexdz.exe
File created	C:\Windows\SysWOW64\xtiojdexdz.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File created	C:\Windows\SysWOW64\pulgfonxcchgkhu.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File created	C:\Windows\SysWOW64\ixgflrvl.exe	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ixgflrvl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ixgflrvl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ixgflrvl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ixgflrvl.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ixgflrvl.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ixgflrvl.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ixgflrvl.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BC3FF1C22DED109D1D18A0B9113"	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	xtiojdexdz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	xtiojdexdz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B05B4790399D53B9B9D03393D7CA"	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	xtiojdexdz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	xtiojdexdz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2608	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2728	pulgfonxcchgkhu.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2788	xtiojdexdz.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2728	pulgfonxcchgkhu.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2896	ixgflrvl.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2748	ixgflrvl.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe
2852	drzraqhgydmpk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2788	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	28
PID 2480 wrote to memory of 2788	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	28
PID 2480 wrote to memory of 2788	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	28
PID 2480 wrote to memory of 2788	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	28
PID 2480 wrote to memory of 2728	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	29
PID 2480 wrote to memory of 2728	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	29
PID 2480 wrote to memory of 2728	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	29
PID 2480 wrote to memory of 2728	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	29
PID 2480 wrote to memory of 2896	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	30
PID 2480 wrote to memory of 2896	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	30
PID 2480 wrote to memory of 2896	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	30
PID 2480 wrote to memory of 2896	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	30
PID 2480 wrote to memory of 2852	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	31
PID 2480 wrote to memory of 2852	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	31
PID 2480 wrote to memory of 2852	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	31
PID 2480 wrote to memory of 2852	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	31
PID 2788 wrote to memory of 2748	2788	xtiojdexdz.exe	32
PID 2788 wrote to memory of 2748	2788	xtiojdexdz.exe	32
PID 2788 wrote to memory of 2748	2788	xtiojdexdz.exe	32
PID 2788 wrote to memory of 2748	2788	xtiojdexdz.exe	32
PID 2480 wrote to memory of 2608	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	33
PID 2480 wrote to memory of 2608	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	33
PID 2480 wrote to memory of 2608	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	33
PID 2480 wrote to memory of 2608	2480	4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe	33
PID 2608 wrote to memory of 1452	2608	WINWORD.EXE	36
PID 2608 wrote to memory of 1452	2608	WINWORD.EXE	36
PID 2608 wrote to memory of 1452	2608	WINWORD.EXE	36
PID 2608 wrote to memory of 1452	2608	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe
"C:\Users\Admin\AppData\Local\Temp\4d5e6dfe78c7d6afdcd33b82ac6c93d4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\xtiojdexdz.exe
  xtiojdexdz.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\ixgflrvl.exe
    C:\Windows\system32\ixgflrvl.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2748
- C:\Windows\SysWOW64\pulgfonxcchgkhu.exe
  pulgfonxcchgkhu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2728
- C:\Windows\SysWOW64\ixgflrvl.exe
  ixgflrvl.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2896
- C:\Windows\SysWOW64\drzraqhgydmpk.exe
  drzraqhgydmpk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2852
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
6d3b130730afe2136e5eea1edf2d6cd9

SHA1
867ff7f8d239fef7a69dd4f869e7d7eeb54c84c6

SHA256
1d04106de82bade844f9259ac3eaac2e79f3ee526ebc45e3db79f8bca0384142

SHA512
f27257b98bf0ed0da1830df1f35fd7e26be2662fb74729b1190fcdacdf14d9b60a2e59b4d63f4682a6fd780d8c5a16cef83b48215d3533e14dbde7e39ed9a140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
86d11f40a58cd847ed0ce94ef908df0e

SHA1
353898d0670796d904fb0fe2bfb2ccc71b431186

SHA256
679f565e931648cb0da031d6506840e0533711cfc7ac234f618aea8fe6422fef

SHA512
37e3119cb423f606c7d61d224c3e56b01a16d86c3bf8eb36902828bad553a7bcd8ae1d54f97b9ffb65e9035366f875f6730fdac96f14d410a0e88940ce4f6dd3

Download Submit
C:\Windows\SysWOW64\drzraqhgydmpk.exe

Filesize
69KB

MD5
ed46282b641847f19c32696ced33d0f7

SHA1
6fa698b85369b21be5c2f8b7e04241eacd010b16

SHA256
7e3bc5f2b2e533173d410aa3d845600c45a847c1091f9652e09ccb1685871b98

SHA512
d05e2eec91e4814ea518f71b2b472929ceae7eaa8872348b43514e64b1981b60a89b8d9b10abb85b97fb5765ebf214c1e85a07cb92571da108dd3704e4c80bab

Download Submit
C:\Windows\SysWOW64\drzraqhgydmpk.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
C:\Windows\SysWOW64\ixgflrvl.exe

Filesize
62KB

MD5
017e548bdfd8961c9268326a363dbda6

SHA1
787ae0b7cc229f67707d20014537071311420e30

SHA256
c4a39ce873f4415be3933ffd7d9aac31940a8e06f3a585011d485a9dd83c7d06

SHA512
dae69fa212f33f96849477e8ff97c036620b0aa33dc19786cae01536a91d005b00371547682f89eac70d731f626db8695b359e39828c46757dcaadff43e78821

Download Submit
C:\Windows\SysWOW64\ixgflrvl.exe

Filesize
33KB

MD5
05fff811b43c3fdb8a6f1ccc920fbb28

SHA1
e40c7a343e2cb06b22f9d9fcd83bce75562c38d7

SHA256
6c2bc990abeea3203e617d28e0dafe6639f1785e47d8233503ce3eb87f233849

SHA512
677458d59741fa03fa04c0360f503ff2bb02c04f3ade40d3639dc93a2bfe38758852b668ecdc05a3e8b3c285d8d387d279a0b6347bf4c75278737eb8d51f0f16

Download Submit
C:\Windows\SysWOW64\ixgflrvl.exe

Filesize
7KB

MD5
88efa173783dc69eab793e956ea2507c

SHA1
2eeda12c20feedb49d015b6d9c3d40d5df0867a0

SHA256
7c9b4687195cd24a6281be5d97f3075145731ca3b611cff5df9b1fba46b691be

SHA512
976b0c8dfd9aca3fb704d0dd26d26582337e31bb59ebf3b6311de9a2ad9c5791343258683df923b644ee8c906d4d859ff836fd149c131c9dd99e540f863c99f9

Download Submit
C:\Windows\SysWOW64\pulgfonxcchgkhu.exe

Filesize
51KB

MD5
c58dff29c07cb4e218f17ab9bc71fd19

SHA1
cabea63cf07b035a52ca7fd155c678c5b7382770

SHA256
f9f94f01e198c6a5cabc1bc9c9b40f1e2728a7a343aa6c807d9d8288ade96b7c

SHA512
1d0f884575ac5f4ddded2148f19f3d6270198ef4cc33d9841579b28640b3509a320f10400b2226d494e869ec66d3c91857068874cefc28d9c26b1d88e957753b

Download Submit
C:\Windows\SysWOW64\pulgfonxcchgkhu.exe

Filesize
62KB

MD5
36e91ca7841c65c8b098f74deb9a249c

SHA1
9e408a110245db5777ec9ed9e269901e9836eafa

SHA256
597a042fc38e4d92229a91351a5cd4ce477e1cc0a25375f5de5d710cd6392b41

SHA512
90210143d146bb2d8db91df90d7f39f6bccb731870e09edf6cb4a402e029cc1a2095d7cec5569241052e91b21aac4349a98118914647766a3f1bac0c11679c91

Download Submit
C:\Windows\SysWOW64\pulgfonxcchgkhu.exe

Filesize
512KB

MD5
5503dae307774331521103dedbbccfdb

SHA1
32a63c53f25b58f284db754c71d4e4df75ba2868

SHA256
0496f02ce041af68fd2a157f186e3b928244f61fa88f90865d400969997d0650

SHA512
c430d3d716ff42bb75ba0c6b38a975108afeaff5af10d23317723f0f29bfdb76bd0b332419965aea8e2c074957b2ad13413e6f23d79cb69a691b7f6668f1f538

Download Submit
C:\Windows\SysWOW64\xtiojdexdz.exe

Filesize
266KB

MD5
3ba919cf1e8ca4baf44a70be84880cb1

SHA1
41ea9de2807ef03f57cf564a224712e124287755

SHA256
364dadfceff8e3313a0b924afdca4814d8a7e3c507f39b3d6c4d6f3965ce5de8

SHA512
8f965a86cab8514538edc65af094effa9da66340c549ab048dedf4d16033d42d78222b6f3ce6f6106c0a58bbcf4421ba870b8e2480ed28cd7a558a9bb6858f63

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\drzraqhgydmpk.exe

Filesize
45KB

MD5
e8d0a210a7de9cb675e1378280b0b6de

SHA1
c2ab939a2766a03bf6c24459cd935c2d580f220d

SHA256
c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

SHA512
e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

Download Submit
\Windows\SysWOW64\ixgflrvl.exe

Filesize
79KB

MD5
23d80d6c0f188b47e51f974a0b802708

SHA1
5b510e857b46de80c83e904a670f22db4c06ba4d

SHA256
a068be9b5cc41de25f043a1f42d6a9b3a126c1b3062db6a5612299b8519da527

SHA512
a09d83298f2d15fef3bb9699878a40d07ecb69b13d340709a32423b56edcc79e97cc398cba7b6915bf5b0e186a239e1d800c59e04c9fa4b82e45c042d94a3799

Download Submit
\Windows\SysWOW64\ixgflrvl.exe

Filesize
11KB

MD5
5f7990983a1bd89887ec3cc0c570424b

SHA1
819a85aeb3aa5e7a143ecbdca07e9b0db29f43da

SHA256
d860742a7159164106750b5de95e740c8372053706f76b90012200b02e4778f1

SHA512
96211bbc945ddee6c3e9392a7d556df4e95f867f5c954b9cfda2d326e2c01dbdb748257b5e8dd420f753c781ae5671549c358d5446cbab4b6ed413bf94cc1a97

Download Submit
\Windows\SysWOW64\pulgfonxcchgkhu.exe

Filesize
177KB

MD5
0381fd0e78841e1f5727a9e4dbc32c90

SHA1
4b7671c2ac18ca74776b8f4356b948aeab153571

SHA256
5b20fe75d6a2f04bde3d441bc19725da20cdb27701d31bd423225071660cd525

SHA512
788451e37b9b0cc789d27aa1a5ce418ffee9466e28ec0da29e1b3a9553585aa0f08caea0a08b890193ac5b2a6e592e1194c813b8c380e68bd6c5ca5332d60021

Download Submit
\Windows\SysWOW64\xtiojdexdz.exe

Filesize
512KB

MD5
1fcb70e614aa7d3c1279f8bf5e306353

SHA1
32cdae750d4baadb2fef90cb51adccd0ee48359c

SHA256
db6f8498ab6aa909eb94aab0c0e04a0c64f37af59b9e4feef56996be37adc6e7

SHA512
c2f88ecadf9c39fec568c0de35119d1fd6484723bc8efe6fcbb522e1df00728964f243068d934e35fb2f3ed7aa0822a1e5344ac41b63ee6a5163ae104e59620c

Download Submit
memory/2480-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2608-45-0x000000002F171000-0x000000002F172000-memory.dmp

Filesize
4KB

Download
memory/2608-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2608-47-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download
memory/2608-75-0x0000000070D0D000-0x0000000070D18000-memory.dmp

Filesize
44KB

Download
memory/2608-96-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download