25002152bb73f31b491fb484fc08aa0b23349b4c2baa6934920b5ecab2255dbd

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 23:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7b880e537aac45cce5b55c5deb5e48b6.exe
Size

512KB
MD5

7b880e537aac45cce5b55c5deb5e48b6
SHA1

bcd63a8498d850a32579e68ba83da89bf73c49e8
SHA256

25002152bb73f31b491fb484fc08aa0b23349b4c2baa6934920b5ecab2255dbd
SHA512

306e4546d03761664d64bb446daf4b585227b2de6ea00858e6e993198ba41c9529d54605c05a49aa0e2c07c9eb5e07bf06c3d29c66eac0d709fcd9983f699ed9
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5j

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	axwexxlwti.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	axwexxlwti.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	axwexxlwti.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	axwexxlwti.exe

Executes dropped EXE 5 IoCs

pid	Process
3020	axwexxlwti.exe
2888	ueffeorzsrxdxxb.exe
2604	eocyvpwe.exe
2692	izjleoyvmqlzg.exe
2724	eocyvpwe.exe

Loads dropped DLL 5 IoCs

pid	Process
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
3020	axwexxlwti.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	axwexxlwti.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "izjleoyvmqlzg.exe"	ueffeorzsrxdxxb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lgobfhta = "axwexxlwti.exe"	ueffeorzsrxdxxb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\edrpoxbl = "ueffeorzsrxdxxb.exe"	ueffeorzsrxdxxb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	axwexxlwti.exe
File opened (read-only)	\??\q:	axwexxlwti.exe
File opened (read-only)	\??\v:	axwexxlwti.exe
File opened (read-only)	\??\w:	axwexxlwti.exe
File opened (read-only)	\??\k:	eocyvpwe.exe
File opened (read-only)	\??\e:	eocyvpwe.exe
File opened (read-only)	\??\u:	eocyvpwe.exe
File opened (read-only)	\??\b:	axwexxlwti.exe
File opened (read-only)	\??\r:	eocyvpwe.exe
File opened (read-only)	\??\y:	eocyvpwe.exe
File opened (read-only)	\??\z:	axwexxlwti.exe
File opened (read-only)	\??\t:	eocyvpwe.exe
File opened (read-only)	\??\g:	axwexxlwti.exe
File opened (read-only)	\??\m:	axwexxlwti.exe
File opened (read-only)	\??\x:	axwexxlwti.exe
File opened (read-only)	\??\u:	eocyvpwe.exe
File opened (read-only)	\??\b:	eocyvpwe.exe
File opened (read-only)	\??\l:	axwexxlwti.exe
File opened (read-only)	\??\m:	eocyvpwe.exe
File opened (read-only)	\??\z:	eocyvpwe.exe
File opened (read-only)	\??\s:	eocyvpwe.exe
File opened (read-only)	\??\j:	eocyvpwe.exe
File opened (read-only)	\??\s:	eocyvpwe.exe
File opened (read-only)	\??\q:	eocyvpwe.exe
File opened (read-only)	\??\i:	eocyvpwe.exe
File opened (read-only)	\??\x:	eocyvpwe.exe
File opened (read-only)	\??\s:	axwexxlwti.exe
File opened (read-only)	\??\u:	axwexxlwti.exe
File opened (read-only)	\??\o:	eocyvpwe.exe
File opened (read-only)	\??\r:	eocyvpwe.exe
File opened (read-only)	\??\i:	axwexxlwti.exe
File opened (read-only)	\??\z:	eocyvpwe.exe
File opened (read-only)	\??\o:	axwexxlwti.exe
File opened (read-only)	\??\g:	eocyvpwe.exe
File opened (read-only)	\??\q:	eocyvpwe.exe
File opened (read-only)	\??\v:	eocyvpwe.exe
File opened (read-only)	\??\h:	eocyvpwe.exe
File opened (read-only)	\??\n:	axwexxlwti.exe
File opened (read-only)	\??\a:	eocyvpwe.exe
File opened (read-only)	\??\l:	eocyvpwe.exe
File opened (read-only)	\??\n:	eocyvpwe.exe
File opened (read-only)	\??\p:	eocyvpwe.exe
File opened (read-only)	\??\i:	eocyvpwe.exe
File opened (read-only)	\??\t:	axwexxlwti.exe
File opened (read-only)	\??\g:	eocyvpwe.exe
File opened (read-only)	\??\h:	eocyvpwe.exe
File opened (read-only)	\??\a:	axwexxlwti.exe
File opened (read-only)	\??\e:	eocyvpwe.exe
File opened (read-only)	\??\v:	eocyvpwe.exe
File opened (read-only)	\??\j:	eocyvpwe.exe
File opened (read-only)	\??\k:	eocyvpwe.exe
File opened (read-only)	\??\w:	eocyvpwe.exe
File opened (read-only)	\??\h:	axwexxlwti.exe
File opened (read-only)	\??\p:	axwexxlwti.exe
File opened (read-only)	\??\y:	axwexxlwti.exe
File opened (read-only)	\??\m:	eocyvpwe.exe
File opened (read-only)	\??\n:	eocyvpwe.exe
File opened (read-only)	\??\e:	axwexxlwti.exe
File opened (read-only)	\??\r:	axwexxlwti.exe
File opened (read-only)	\??\l:	eocyvpwe.exe
File opened (read-only)	\??\o:	eocyvpwe.exe
File opened (read-only)	\??\t:	eocyvpwe.exe
File opened (read-only)	\??\y:	eocyvpwe.exe
File opened (read-only)	\??\j:	axwexxlwti.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	axwexxlwti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	axwexxlwti.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1460-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000c0000000133ba-5.dat	autoit_exe
behavioral1/files/0x000a0000000133a9-17.dat	autoit_exe
behavioral1/files/0x000a000000013ac5-31.dat	autoit_exe
behavioral1/files/0x00070000000141b0-38.dat	autoit_exe
behavioral1/files/0x00060000000147f1-67.dat	autoit_exe
behavioral1/files/0x0006000000014afa-81.dat	autoit_exe
behavioral1/files/0x0006000000014ac0-75.dat	autoit_exe
behavioral1/files/0x0006000000014b64-84.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	axwexxlwti.exe
File created	C:\Windows\SysWOW64\axwexxlwti.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File created	C:\Windows\SysWOW64\ueffeorzsrxdxxb.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File created	C:\Windows\SysWOW64\eocyvpwe.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File created	C:\Windows\SysWOW64\izjleoyvmqlzg.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File opened for modification	C:\Windows\SysWOW64\izjleoyvmqlzg.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File opened for modification	C:\Windows\SysWOW64\axwexxlwti.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File opened for modification	C:\Windows\SysWOW64\ueffeorzsrxdxxb.exe	7b880e537aac45cce5b55c5deb5e48b6.exe
File opened for modification	C:\Windows\SysWOW64\eocyvpwe.exe	7b880e537aac45cce5b55c5deb5e48b6.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	\??\c:\Program Files\SuspendCompare.doc.exe	eocyvpwe.exe
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	eocyvpwe.exe
File opened for modification	C:\Program Files\SuspendCompare.nal	eocyvpwe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	eocyvpwe.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eocyvpwe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	eocyvpwe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	eocyvpwe.exe
File opened for modification	C:\Program Files\SuspendCompare.nal	eocyvpwe.exe
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eocyvpwe.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eocyvpwe.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	eocyvpwe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	eocyvpwe.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	7b880e537aac45cce5b55c5deb5e48b6.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCFFAB1F96BF1E483753B3781993EE2B38C038F4260033DE2BD45E808A8"	7b880e537aac45cce5b55c5deb5e48b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	axwexxlwti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	axwexxlwti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BB2FE6B21DAD209D0A68B7D916B"	7b880e537aac45cce5b55c5deb5e48b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	axwexxlwti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	axwexxlwti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	axwexxlwti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2484	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2888	ueffeorzsrxdxxb.exe
2692	izjleoyvmqlzg.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
1460	7b880e537aac45cce5b55c5deb5e48b6.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
3020	axwexxlwti.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2888	ueffeorzsrxdxxb.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2604	eocyvpwe.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2692	izjleoyvmqlzg.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe
2724	eocyvpwe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	WINWORD.EXE
2484	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 3020	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	28
PID 1460 wrote to memory of 3020	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	28
PID 1460 wrote to memory of 3020	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	28
PID 1460 wrote to memory of 3020	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	28
PID 1460 wrote to memory of 2888	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	29
PID 1460 wrote to memory of 2888	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	29
PID 1460 wrote to memory of 2888	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	29
PID 1460 wrote to memory of 2888	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	29
PID 1460 wrote to memory of 2604	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	32
PID 1460 wrote to memory of 2604	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	32
PID 1460 wrote to memory of 2604	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	32
PID 1460 wrote to memory of 2604	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	32
PID 1460 wrote to memory of 2692	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	30
PID 1460 wrote to memory of 2692	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	30
PID 1460 wrote to memory of 2692	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	30
PID 1460 wrote to memory of 2692	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	30
PID 3020 wrote to memory of 2724	3020	axwexxlwti.exe	31
PID 3020 wrote to memory of 2724	3020	axwexxlwti.exe	31
PID 3020 wrote to memory of 2724	3020	axwexxlwti.exe	31
PID 3020 wrote to memory of 2724	3020	axwexxlwti.exe	31
PID 1460 wrote to memory of 2484	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	33
PID 1460 wrote to memory of 2484	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	33
PID 1460 wrote to memory of 2484	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	33
PID 1460 wrote to memory of 2484	1460	7b880e537aac45cce5b55c5deb5e48b6.exe	33
PID 2484 wrote to memory of 2780	2484	WINWORD.EXE	36
PID 2484 wrote to memory of 2780	2484	WINWORD.EXE	36
PID 2484 wrote to memory of 2780	2484	WINWORD.EXE	36
PID 2484 wrote to memory of 2780	2484	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\7b880e537aac45cce5b55c5deb5e48b6.exe
"C:\Users\Admin\AppData\Local\Temp\7b880e537aac45cce5b55c5deb5e48b6.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\axwexxlwti.exe
  axwexxlwti.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\eocyvpwe.exe
    C:\Windows\system32\eocyvpwe.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2724
- C:\Windows\SysWOW64\ueffeorzsrxdxxb.exe
  ueffeorzsrxdxxb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2888
- C:\Windows\SysWOW64\izjleoyvmqlzg.exe
  izjleoyvmqlzg.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2692
- C:\Windows\SysWOW64\eocyvpwe.exe
  eocyvpwe.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2604
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
90236dcbf8f4ccac402cfdea62dcc9cc

SHA1
7833a0f78eed57b2a19ea5009211004a87d2f341

SHA256
1cdacd45bcd9a1bb91d58551825ec296b34cf2eee286765e7d2ba2d562f5eb38

SHA512
9d8a03c8fa9ba8287dfcff1eb4618bec032390495619ee2cb2e4ee8a710069ca1e69f792df74263569ee4650b015f10f9d77d7567a6eabbe3da87e67d6d95c93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
823ef789bd598e0fa81447277f8154d1

SHA1
af4bac6832e70c0504c6a0cf1b1bde07e5d2e116

SHA256
f19eb26c756ede9cd36804426341101c7876a5fffd7f41074ee9abf4e3b67d04

SHA512
f2d694d1ac86ed18c1e00c7c47fb34fafc7aee204199bcc1ee83d522e7d1b2f9ec541ede11e87d0fab4669e4f0edbbb9a666fa6fa6bd9a699c7003e67083952b

Download Submit
C:\Users\Admin\Documents\UpdateRestart.doc.exe

Filesize
512KB

MD5
b88dff016109718629ac500603505df3

SHA1
98383ffe47b11438cea47d8167bf56f2d478f5a8

SHA256
e580d24126e3f2ab6fd931a8ca68b9cf9b5d5742f0465246192f72316240fcc6

SHA512
ec12133938b6b09f260909871f6ec07f4610f145527e611ae1c20f5aebec00aff8f2a05e0bb08e66405b25a4ff88dbda936a30a6a6d921205ce699824c4c5637

Download Submit
C:\Windows\SysWOW64\eocyvpwe.exe

Filesize
512KB

MD5
8c208e2b318717d4c43e1852d86f1a59

SHA1
eecb277c6ba11ae8e12133824b16f4ed91adada6

SHA256
84ab6f9e06f79d0fda6d2913e4f4f8c1f816c19a0ca668aa0e7a0a4afc37f3f7

SHA512
4ba0caabcf9f84bbd28cbb89197cbbbf268cef5e1d62fa3e901be481c09c2fe5e34b1c33720df6adccb0ef26c0e33fc03c3ffb8b7e39901ee09efaccbf671e3b

Download Submit
C:\Windows\SysWOW64\izjleoyvmqlzg.exe

Filesize
512KB

MD5
a1f6e8b3d51f8dd94bc78dffb048da3b

SHA1
75775753e2a284f7b79d4804e84e29a7630fda57

SHA256
29e6c3eb4994d71c9d6300e17fbd0b16f89d135b00902d35ee76c618d226397b

SHA512
617d8b6cee53c0c158cf52d75063ca38c5afb6ac20bbe9445ee49a109cd484fc4b43456b10a565fd79bf41bc4fcfa99965c7af8808f1abd597252ad653d42151

Download Submit
C:\Windows\SysWOW64\ueffeorzsrxdxxb.exe

Filesize
512KB

MD5
61803f88ecb388b8f7fde443c7d11315

SHA1
d151f62290011a7bb6dccad15fe984a36df067db

SHA256
5a927bc4883ba31bc6163d41caeedbb7b6c008424dd7c934ddc2d9bff8f01307

SHA512
96fab3cef6485dec4568af51a61c6ca73e224fafec02a4c5bccf3e09df894a24b11354e34c1d4ed4d04d68065e7757368403ae4682d0871718a7cd9aca4876a4

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
1e21d7076c04c2ec4eacfaea9f8ab995

SHA1
a55dda2cf4c9d5051e79b41c4a4c1ff0952f7ba4

SHA256
c0e8ecbf1af69f54c5a35a2fe726298ab99b7b8184c16b296913373c70849126

SHA512
96f2f0319c79d13e3df0d0bebc1afe1a43e6cb217f5d88fc79d64595622e9f8a80caa75dde59996b3939fa41229dea3fac2da6d23cfaa88d5edcd5c3937a608e

Download Submit
\??\c:\Program Files\SuspendCompare.doc.exe

Filesize
512KB

MD5
69e2526e1b683df338c2fd700fc63033

SHA1
318a88810b38cfebdf6f0f799dd906a5af55bdc5

SHA256
aa1fcd42373b8496f0f64f306cdbaa74cace57c7afcd905f3699d4dc91512d32

SHA512
5ea70d235f9be046405d77a56c7ea5cf94c84b0cd3e7a33717b1f424d13b38d88b2d98133ac6fee20d2a9f903003e7d45c1a7d5937a9114ec86bf0510d417c86

Download Submit
\Windows\SysWOW64\axwexxlwti.exe

Filesize
512KB

MD5
60fb8d1b66c01ccb2f90ba6c0d1af50a

SHA1
161b70149394b36665a8aa6d07862a0b3dd95d32

SHA256
2e677e95f3e44d7f4268636cc0d169cb013826f0313db06170902ad6c2672f3c

SHA512
f9af9c140bbe6e076bdec8631aad6d1fbdb20221e7f8bfa4f0a22d0ff671c9d738191ae4ae36eb3e9460debea8e1bbd0d98ef049e6867f6de141c7faeab72d5b

Download Submit
memory/1460-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2484-45-0x000000002F531000-0x000000002F532000-memory.dmp

Filesize
4KB

Download
memory/2484-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2484-47-0x00000000716AD000-0x00000000716B8000-memory.dmp

Filesize
44KB

Download
memory/2484-87-0x00000000716AD000-0x00000000716B8000-memory.dmp

Filesize
44KB

Download
memory/2484-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download