3e359659220833717f4206c8257124ee3d5ae741ec5ee1e643c094c07f2d3d05

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d172f1d232d758347932641bbbf7dcf.exe
Size

512KB
MD5

7d172f1d232d758347932641bbbf7dcf
SHA1

2256a32fd4209fc94e66b7a94c120eea6a054a3a
SHA256

3e359659220833717f4206c8257124ee3d5ae741ec5ee1e643c094c07f2d3d05
SHA512

c963c99b8914efa0020791e0ea32f4ffa714b05a92449269070a017c5d9b6b91205fca6dc051a6323c01e7c4a1780ff8523006d884888bd15c46a53e14095e40
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj69:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	jymukgwzza.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jymukgwzza.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jymukgwzza.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jymukgwzza.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
1716	jymukgwzza.exe
3036	clvnvdoagrwzkdw.exe
2556	ymwyhewq.exe
2672	emwubcrcavrmo.exe
2640	ymwyhewq.exe

Loads dropped DLL 5 IoCs

pid	Process
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
1716	jymukgwzza.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jymukgwzza.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\labsqnjm = "clvnvdoagrwzkdw.exe"	clvnvdoagrwzkdw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "emwubcrcavrmo.exe"	clvnvdoagrwzkdw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wfwzxzof = "jymukgwzza.exe"	clvnvdoagrwzkdw.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	ymwyhewq.exe
File opened (read-only)	\??\y:	ymwyhewq.exe
File opened (read-only)	\??\q:	ymwyhewq.exe
File opened (read-only)	\??\a:	ymwyhewq.exe
File opened (read-only)	\??\u:	ymwyhewq.exe
File opened (read-only)	\??\i:	ymwyhewq.exe
File opened (read-only)	\??\h:	ymwyhewq.exe
File opened (read-only)	\??\i:	ymwyhewq.exe
File opened (read-only)	\??\n:	ymwyhewq.exe
File opened (read-only)	\??\m:	jymukgwzza.exe
File opened (read-only)	\??\q:	jymukgwzza.exe
File opened (read-only)	\??\r:	jymukgwzza.exe
File opened (read-only)	\??\u:	jymukgwzza.exe
File opened (read-only)	\??\s:	ymwyhewq.exe
File opened (read-only)	\??\a:	ymwyhewq.exe
File opened (read-only)	\??\t:	ymwyhewq.exe
File opened (read-only)	\??\l:	jymukgwzza.exe
File opened (read-only)	\??\w:	ymwyhewq.exe
File opened (read-only)	\??\m:	ymwyhewq.exe
File opened (read-only)	\??\s:	jymukgwzza.exe
File opened (read-only)	\??\p:	ymwyhewq.exe
File opened (read-only)	\??\y:	ymwyhewq.exe
File opened (read-only)	\??\k:	jymukgwzza.exe
File opened (read-only)	\??\g:	ymwyhewq.exe
File opened (read-only)	\??\v:	ymwyhewq.exe
File opened (read-only)	\??\u:	ymwyhewq.exe
File opened (read-only)	\??\w:	ymwyhewq.exe
File opened (read-only)	\??\o:	ymwyhewq.exe
File opened (read-only)	\??\v:	ymwyhewq.exe
File opened (read-only)	\??\z:	ymwyhewq.exe
File opened (read-only)	\??\x:	jymukgwzza.exe
File opened (read-only)	\??\z:	ymwyhewq.exe
File opened (read-only)	\??\e:	ymwyhewq.exe
File opened (read-only)	\??\n:	ymwyhewq.exe
File opened (read-only)	\??\o:	ymwyhewq.exe
File opened (read-only)	\??\b:	ymwyhewq.exe
File opened (read-only)	\??\e:	ymwyhewq.exe
File opened (read-only)	\??\r:	ymwyhewq.exe
File opened (read-only)	\??\p:	ymwyhewq.exe
File opened (read-only)	\??\v:	jymukgwzza.exe
File opened (read-only)	\??\y:	jymukgwzza.exe
File opened (read-only)	\??\g:	ymwyhewq.exe
File opened (read-only)	\??\a:	jymukgwzza.exe
File opened (read-only)	\??\l:	ymwyhewq.exe
File opened (read-only)	\??\o:	jymukgwzza.exe
File opened (read-only)	\??\t:	jymukgwzza.exe
File opened (read-only)	\??\m:	ymwyhewq.exe
File opened (read-only)	\??\s:	ymwyhewq.exe
File opened (read-only)	\??\x:	ymwyhewq.exe
File opened (read-only)	\??\e:	jymukgwzza.exe
File opened (read-only)	\??\h:	jymukgwzza.exe
File opened (read-only)	\??\p:	jymukgwzza.exe
File opened (read-only)	\??\z:	jymukgwzza.exe
File opened (read-only)	\??\q:	ymwyhewq.exe
File opened (read-only)	\??\j:	ymwyhewq.exe
File opened (read-only)	\??\k:	ymwyhewq.exe
File opened (read-only)	\??\r:	ymwyhewq.exe
File opened (read-only)	\??\t:	ymwyhewq.exe
File opened (read-only)	\??\i:	jymukgwzza.exe
File opened (read-only)	\??\j:	jymukgwzza.exe
File opened (read-only)	\??\n:	jymukgwzza.exe
File opened (read-only)	\??\k:	ymwyhewq.exe
File opened (read-only)	\??\h:	ymwyhewq.exe
File opened (read-only)	\??\b:	jymukgwzza.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	jymukgwzza.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	jymukgwzza.exe

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000015c52-5.dat	autoit_exe
behavioral1/files/0x0009000000015c33-17.dat	autoit_exe
behavioral1/files/0x0009000000015cfa-26.dat	autoit_exe
behavioral1/files/0x000b000000015c52-25.dat	autoit_exe
behavioral1/files/0x0009000000015cfa-29.dat	autoit_exe
behavioral1/files/0x0007000000015d2b-32.dat	autoit_exe
behavioral1/files/0x0009000000015c33-37.dat	autoit_exe
behavioral1/files/0x0007000000015d2b-36.dat	autoit_exe
behavioral1/files/0x000b000000015c52-39.dat	autoit_exe
behavioral1/files/0x0007000000015d2b-41.dat	autoit_exe
behavioral1/files/0x0009000000015cfa-42.dat	autoit_exe
behavioral1/files/0x0009000000015cfa-43.dat	autoit_exe
behavioral1/files/0x0006000000016bdb-72.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jymukgwzza.exe	7d172f1d232d758347932641bbbf7dcf.exe
File opened for modification	C:\Windows\SysWOW64\jymukgwzza.exe	7d172f1d232d758347932641bbbf7dcf.exe
File created	C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe	7d172f1d232d758347932641bbbf7dcf.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	jymukgwzza.exe
File opened for modification	C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe	7d172f1d232d758347932641bbbf7dcf.exe
File created	C:\Windows\SysWOW64\ymwyhewq.exe	7d172f1d232d758347932641bbbf7dcf.exe
File opened for modification	C:\Windows\SysWOW64\ymwyhewq.exe	7d172f1d232d758347932641bbbf7dcf.exe
File created	C:\Windows\SysWOW64\emwubcrcavrmo.exe	7d172f1d232d758347932641bbbf7dcf.exe
File opened for modification	C:\Windows\SysWOW64\emwubcrcavrmo.exe	7d172f1d232d758347932641bbbf7dcf.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ymwyhewq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ymwyhewq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ymwyhewq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ymwyhewq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ymwyhewq.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ymwyhewq.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ymwyhewq.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ymwyhewq.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	7d172f1d232d758347932641bbbf7dcf.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC60915E0DBC3B9BC7C93ED9434BD"	7d172f1d232d758347932641bbbf7dcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	jymukgwzza.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF8A4F27826D9141D75D7E97BDEEE133584166456333D79B"	7d172f1d232d758347932641bbbf7dcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33302D089C2482236A3776D777212DAD7C8464D8"	7d172f1d232d758347932641bbbf7dcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F66BB3FF1A22A9D178D1A48A0F9117"	7d172f1d232d758347932641bbbf7dcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	jymukgwzza.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EC2B15C449038EB53BDBAD73392D4BC"	7d172f1d232d758347932641bbbf7dcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2496	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2640	ymwyhewq.exe
2640	ymwyhewq.exe
2640	ymwyhewq.exe
2640	ymwyhewq.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
3036	clvnvdoagrwzkdw.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe
Token: SeShutdownPrivilege	772	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2640	ymwyhewq.exe
2640	ymwyhewq.exe
2640	ymwyhewq.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
2372	7d172f1d232d758347932641bbbf7dcf.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
1716	jymukgwzza.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
2556	ymwyhewq.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
3036	clvnvdoagrwzkdw.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
2672	emwubcrcavrmo.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2496	WINWORD.EXE
2496	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1716	2372	7d172f1d232d758347932641bbbf7dcf.exe	28
PID 2372 wrote to memory of 1716	2372	7d172f1d232d758347932641bbbf7dcf.exe	28
PID 2372 wrote to memory of 1716	2372	7d172f1d232d758347932641bbbf7dcf.exe	28
PID 2372 wrote to memory of 1716	2372	7d172f1d232d758347932641bbbf7dcf.exe	28
PID 2372 wrote to memory of 3036	2372	7d172f1d232d758347932641bbbf7dcf.exe	29
PID 2372 wrote to memory of 3036	2372	7d172f1d232d758347932641bbbf7dcf.exe	29
PID 2372 wrote to memory of 3036	2372	7d172f1d232d758347932641bbbf7dcf.exe	29
PID 2372 wrote to memory of 3036	2372	7d172f1d232d758347932641bbbf7dcf.exe	29
PID 2372 wrote to memory of 2556	2372	7d172f1d232d758347932641bbbf7dcf.exe	30
PID 2372 wrote to memory of 2556	2372	7d172f1d232d758347932641bbbf7dcf.exe	30
PID 2372 wrote to memory of 2556	2372	7d172f1d232d758347932641bbbf7dcf.exe	30
PID 2372 wrote to memory of 2556	2372	7d172f1d232d758347932641bbbf7dcf.exe	30
PID 2372 wrote to memory of 2672	2372	7d172f1d232d758347932641bbbf7dcf.exe	31
PID 2372 wrote to memory of 2672	2372	7d172f1d232d758347932641bbbf7dcf.exe	31
PID 2372 wrote to memory of 2672	2372	7d172f1d232d758347932641bbbf7dcf.exe	31
PID 2372 wrote to memory of 2672	2372	7d172f1d232d758347932641bbbf7dcf.exe	31
PID 1716 wrote to memory of 2640	1716	jymukgwzza.exe	32
PID 1716 wrote to memory of 2640	1716	jymukgwzza.exe	32
PID 1716 wrote to memory of 2640	1716	jymukgwzza.exe	32
PID 1716 wrote to memory of 2640	1716	jymukgwzza.exe	32
PID 2372 wrote to memory of 2496	2372	7d172f1d232d758347932641bbbf7dcf.exe	33
PID 2372 wrote to memory of 2496	2372	7d172f1d232d758347932641bbbf7dcf.exe	33
PID 2372 wrote to memory of 2496	2372	7d172f1d232d758347932641bbbf7dcf.exe	33
PID 2372 wrote to memory of 2496	2372	7d172f1d232d758347932641bbbf7dcf.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe
"C:\Users\Admin\AppData\Local\Temp\7d172f1d232d758347932641bbbf7dcf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\jymukgwzza.exe
  jymukgwzza.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\ymwyhewq.exe
    C:\Windows\system32\ymwyhewq.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2640
- C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe
  clvnvdoagrwzkdw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3036
- C:\Windows\SysWOW64\ymwyhewq.exe
  ymwyhewq.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2556
- C:\Windows\SysWOW64\emwubcrcavrmo.exe
  emwubcrcavrmo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2672
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2496

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
e449f7cae5d90c20ac41ec7a1cf79799

SHA1
4f4339f9f436c96db37316ab0740a83ce4760ec9

SHA256
fbb1371b44a911541fdc54b14885c213f7a3ffdf6298476beacfa9d3473b71b0

SHA512
6822c90f337032354e1244d19e9a77d941fa708ad40bf0834f61ece5b55674df30a2a08a962d283ea707d0d348591b5e0664a17c19c8ab1a0d5831fa84cff0ec

Download Submit
C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe

Filesize
307KB

MD5
6c78ce2bc1f28e8e292231ee743b5923

SHA1
47149b239b982ca4d85bca9189df9040bcc9977d

SHA256
1da4bb2717bb1177f8e0970fb0a4e1ac4ee345601c0d3d23032e03246b48aede

SHA512
d96ee59d56b56ff48104f0cef5dd922ac51e3f809bbbd74b4b9c173745c3c094e0efbdb4850695517706e9d1fd8056341f09ce1736f3cf7a34960948275b7ab0

Download Submit
C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe

Filesize
389KB

MD5
dbda106623e21f60ea6da27a054a6a13

SHA1
9320f67a599835dd84862201dc72fed1ac779611

SHA256
ee491d24b01e6b0d6f62b7c819ad66a106c636ade3d71b4188fd2a107085c2b8

SHA512
fc174f762f4d28bc6a3262ce0d9b9a190f5092ed9aefe1c4bde33c2d1fbf3f97013072e97dea07b80b540ccfa8232eb2c459e25af70b41bfd802072fb731e169

Download Submit
C:\Windows\SysWOW64\clvnvdoagrwzkdw.exe

Filesize
512KB

MD5
b31feeaf62054e79eeae34112fd5a5aa

SHA1
d5228057e00319648ac1a106103a43a137421cc6

SHA256
b13cdc33727b7a6265cf818e434fbb9877946acf6af94b5e653c6722b9b493f3

SHA512
6e31e4580d5fd07e842e5a901095eeb2f0c01633f0ba88bb5aee7f800866bb26ed98fcab90d8e7666076e5295112a1f5b3ec0b3eab84d7649a1890a55f6b9976

Download Submit
C:\Windows\SysWOW64\emwubcrcavrmo.exe

Filesize
512KB

MD5
0c6a40a215f2c92f196edc0d4346715a

SHA1
ec38d10c894dd46be5f9dfbb8b1a753a2619f0a2

SHA256
97b7ea70a501a0f3d5eca913d5774925382f409ad42eb59106ea97672c0435fb

SHA512
2a7bebe5e4889af1525de0a3dd6a294ad8e8e1408e1b2a4cfec09da5522fe696822fef340d4b696750ce83229990fd4ec1f08b2b962eb7cf8c64cb7fa7e8eb3a

Download Submit
C:\Windows\SysWOW64\emwubcrcavrmo.exe

Filesize
496KB

MD5
18b14c2e0aac4dd3f27b8a63e63c4eb4

SHA1
2625d70fc241869261405de95a5bdbd89071d2fd

SHA256
e66aeedaa79a3271df1f21318308e18f806daa0656e5fcf1f94ee64e34360588

SHA512
cfe6a273d7b2b1f22256be62d2c07fff79ce319a404498b04b176cbca0200b3b87f9a229571f764eaefc73193b8b3ed0da8893e13550a0f4bfaf220494456305

Download Submit
C:\Windows\SysWOW64\jymukgwzza.exe

Filesize
423KB

MD5
522fc5c938ebfc25a35f671e9201e682

SHA1
f9e48c74481ded815b4ce03ee6969dc11c52647a

SHA256
a3b187b33e7de7a71e8c2e8d67fd243b643915e917755c055a1c5cd41dcc274c

SHA512
4a3fc433ba7b383e23cfbb6011f146072ea6b8c3a2b992fd35da07625dd6720f814998590cd882e55c3510cdc6ff0ba8c0b662cf437a3ba6bcc6487c3f128e5e

Download Submit
C:\Windows\SysWOW64\ymwyhewq.exe

Filesize
494KB

MD5
7b1525b3472e00d432603fdf78f96f86

SHA1
2136d76b14d442a1c4a11b6eea826dcf62cc6d08

SHA256
b62db2be6a1fb49632d6110ef70f37611ec2ea746dadb7b626e27e76f37dc935

SHA512
786f8c53cad2d3ec7e0ea40aadce3ca463015a8dcf22b61837e8f4a5a11b1e0cf581811b09bc77a3809cf21d7e402ac860edbd360fbeaa8f49ec3daf4924c621

Download Submit
C:\Windows\SysWOW64\ymwyhewq.exe

Filesize
350KB

MD5
8b3695b3287401eadd4542be6b5c383e

SHA1
0410a65d96fe5ca1bbbe204b1144fb368ff9ca50

SHA256
2053afe1aa436ee71502c93b6a1864d71c928687b478219f776221788edc2698

SHA512
40aca8406669b5b23e657fcc6a3cf8dd3400d93a63e969c20a2d12981ea70a7e4a0041e364198a422184bd0574006642edb47d7bbce5981682106cadf8584e46

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\emwubcrcavrmo.exe

Filesize
220KB

MD5
97067760cfb027e11cf178153156b9ee

SHA1
bbb15ab92f2d261ab72a3d7c133daa272d6fad9c

SHA256
9f02f1661935d574ccc146ba3903eeb50d6d3c9944d226d287565ff28447af9e

SHA512
ee6b91a6b05e79089a7b777ac2073a5c5ed4aaa7781cf06acf4dae7789123439ece138c90ebbe199967ce06a78bb17d586abdea75301076510af60b42b8cc0fe

Download Submit
\Windows\SysWOW64\jymukgwzza.exe

Filesize
512KB

MD5
be5b07a8017248b0fa0475f4e5eb14b9

SHA1
2c597657a42494a1262ed052128e7aafffe7c5ca

SHA256
ed60b32f80a6e0d809823872e6eb51cde2273861b32357af36687f502922831c

SHA512
af5c30a7eda259473f1ca72e5995234537e62aefad5520edd606c6db6f78ba4464b9129a10c2bc1a7288eb7c4b35685f0f130673136be951051ccb63fe5f8840

Download Submit
\Windows\SysWOW64\ymwyhewq.exe

Filesize
512KB

MD5
0ed4ff3270b14c144b6a9af098b30e3d

SHA1
d1aec4850ea72466e6f6006dfcd25ff3a0c46412

SHA256
bfe89a5648dba7466ea02c199a140c8c29ee875cb36f37a75d81ef9f90d889cd

SHA512
6cbac759249b0e9054fdc1974356cc2b9429032c002b934f0135f01d3abcff39ee8ae4fdbc98f880e0abb30c852d067dc8ee1b45665a8f36ef988b1585449c3a

Download Submit
\Windows\SysWOW64\ymwyhewq.exe

Filesize
334KB

MD5
bfdef0bc4988f2d6a89bad4e51a6e5cd

SHA1
a405defa990a25591a377ae723fe2f47483e12cb

SHA256
5820cf35b1d2c05edd7f3f53630c640c4f8752c7a9dc9640c2a5dd54a00bd4f4

SHA512
a3d6669b5de2c52a96907f7745e292236c4709311b5e85f4cfe9c4e7872e7a5d785df357061a492097d5a00f57b8846ce3c26efc2848390c70b553faacdd3fa9

Download Submit
memory/772-75-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/772-77-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/772-83-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/2372-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2496-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2496-47-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download
memory/2496-45-0x000000002FB81000-0x000000002FB82000-memory.dmp

Filesize
4KB

Download
memory/2496-76-0x000000007130D000-0x0000000071318000-memory.dmp

Filesize
44KB

Download