f4c7db55a97184b0ab799d8f447197c89d152806effc4ac8d3d23fe559cbc402

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

804c591d6ff5b6254b2830e7095c5616.exe
Size

512KB
MD5

804c591d6ff5b6254b2830e7095c5616
SHA1

1eeffa7793c6d11fcb824a840122cacdca0011d6
SHA256

f4c7db55a97184b0ab799d8f447197c89d152806effc4ac8d3d23fe559cbc402
SHA512

88c5e7ec2bef58aaa1750ebd74e71e860550da6f0e39c3ba3da0bc88ea59b623ecaf0e03f0a942758679918f58453749c8f6e0c14817f6210809a87c8889f70a
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6+:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ceuozvjjvt.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ceuozvjjvt.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ceuozvjjvt.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ceuozvjjvt.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2768	ceuozvjjvt.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2832	pxcieuhc.exe
2580	pxcieuhc.exe

Loads dropped DLL 5 IoCs

pid	Process
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2768	ceuozvjjvt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ceuozvjjvt.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iuqdoijn = "uxygyynguabxokb.exe"	uxygyynguabxokb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jarzbhjfmsian.exe"	uxygyynguabxokb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\jplqrxlp = "ceuozvjjvt.exe"	uxygyynguabxokb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	ceuozvjjvt.exe
File opened (read-only)	\??\m:	ceuozvjjvt.exe
File opened (read-only)	\??\y:	pxcieuhc.exe
File opened (read-only)	\??\z:	pxcieuhc.exe
File opened (read-only)	\??\n:	ceuozvjjvt.exe
File opened (read-only)	\??\o:	ceuozvjjvt.exe
File opened (read-only)	\??\t:	ceuozvjjvt.exe
File opened (read-only)	\??\j:	pxcieuhc.exe
File opened (read-only)	\??\j:	pxcieuhc.exe
File opened (read-only)	\??\z:	ceuozvjjvt.exe
File opened (read-only)	\??\x:	pxcieuhc.exe
File opened (read-only)	\??\y:	pxcieuhc.exe
File opened (read-only)	\??\r:	pxcieuhc.exe
File opened (read-only)	\??\s:	pxcieuhc.exe
File opened (read-only)	\??\h:	ceuozvjjvt.exe
File opened (read-only)	\??\q:	ceuozvjjvt.exe
File opened (read-only)	\??\i:	pxcieuhc.exe
File opened (read-only)	\??\a:	pxcieuhc.exe
File opened (read-only)	\??\e:	ceuozvjjvt.exe
File opened (read-only)	\??\b:	pxcieuhc.exe
File opened (read-only)	\??\e:	pxcieuhc.exe
File opened (read-only)	\??\t:	pxcieuhc.exe
File opened (read-only)	\??\g:	pxcieuhc.exe
File opened (read-only)	\??\o:	pxcieuhc.exe
File opened (read-only)	\??\q:	pxcieuhc.exe
File opened (read-only)	\??\w:	ceuozvjjvt.exe
File opened (read-only)	\??\x:	ceuozvjjvt.exe
File opened (read-only)	\??\e:	pxcieuhc.exe
File opened (read-only)	\??\z:	pxcieuhc.exe
File opened (read-only)	\??\w:	pxcieuhc.exe
File opened (read-only)	\??\t:	pxcieuhc.exe
File opened (read-only)	\??\a:	ceuozvjjvt.exe
File opened (read-only)	\??\j:	ceuozvjjvt.exe
File opened (read-only)	\??\l:	ceuozvjjvt.exe
File opened (read-only)	\??\a:	pxcieuhc.exe
File opened (read-only)	\??\l:	pxcieuhc.exe
File opened (read-only)	\??\k:	pxcieuhc.exe
File opened (read-only)	\??\p:	ceuozvjjvt.exe
File opened (read-only)	\??\b:	pxcieuhc.exe
File opened (read-only)	\??\k:	pxcieuhc.exe
File opened (read-only)	\??\r:	pxcieuhc.exe
File opened (read-only)	\??\h:	pxcieuhc.exe
File opened (read-only)	\??\p:	pxcieuhc.exe
File opened (read-only)	\??\q:	pxcieuhc.exe
File opened (read-only)	\??\m:	pxcieuhc.exe
File opened (read-only)	\??\n:	pxcieuhc.exe
File opened (read-only)	\??\i:	ceuozvjjvt.exe
File opened (read-only)	\??\r:	ceuozvjjvt.exe
File opened (read-only)	\??\s:	pxcieuhc.exe
File opened (read-only)	\??\v:	pxcieuhc.exe
File opened (read-only)	\??\l:	pxcieuhc.exe
File opened (read-only)	\??\o:	pxcieuhc.exe
File opened (read-only)	\??\w:	pxcieuhc.exe
File opened (read-only)	\??\p:	pxcieuhc.exe
File opened (read-only)	\??\b:	ceuozvjjvt.exe
File opened (read-only)	\??\u:	ceuozvjjvt.exe
File opened (read-only)	\??\y:	ceuozvjjvt.exe
File opened (read-only)	\??\g:	pxcieuhc.exe
File opened (read-only)	\??\n:	pxcieuhc.exe
File opened (read-only)	\??\k:	ceuozvjjvt.exe
File opened (read-only)	\??\m:	pxcieuhc.exe
File opened (read-only)	\??\u:	pxcieuhc.exe
File opened (read-only)	\??\u:	pxcieuhc.exe
File opened (read-only)	\??\v:	pxcieuhc.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ceuozvjjvt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ceuozvjjvt.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2292-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122e8-7.dat	autoit_exe
behavioral1/files/0x000a000000012243-17.dat	autoit_exe
behavioral1/files/0x0007000000015d03-36.dat	autoit_exe
behavioral1/files/0x0028000000015c63-37.dat	autoit_exe
behavioral1/files/0x0006000000018b7e-69.dat	autoit_exe
behavioral1/files/0x0006000000018b9d-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uxygyynguabxokb.exe	804c591d6ff5b6254b2830e7095c5616.exe
File created	C:\Windows\SysWOW64\pxcieuhc.exe	804c591d6ff5b6254b2830e7095c5616.exe
File opened for modification	C:\Windows\SysWOW64\jarzbhjfmsian.exe	804c591d6ff5b6254b2830e7095c5616.exe
File created	C:\Windows\SysWOW64\uxygyynguabxokb.exe	804c591d6ff5b6254b2830e7095c5616.exe
File opened for modification	C:\Windows\SysWOW64\ceuozvjjvt.exe	804c591d6ff5b6254b2830e7095c5616.exe
File opened for modification	C:\Windows\SysWOW64\pxcieuhc.exe	804c591d6ff5b6254b2830e7095c5616.exe
File created	C:\Windows\SysWOW64\jarzbhjfmsian.exe	804c591d6ff5b6254b2830e7095c5616.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ceuozvjjvt.exe
File created	C:\Windows\SysWOW64\ceuozvjjvt.exe	804c591d6ff5b6254b2830e7095c5616.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pxcieuhc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pxcieuhc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	pxcieuhc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pxcieuhc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	pxcieuhc.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pxcieuhc.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pxcieuhc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	804c591d6ff5b6254b2830e7095c5616.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78068B5FE6822D9D172D1A68A75906A"	804c591d6ff5b6254b2830e7095c5616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	ceuozvjjvt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	ceuozvjjvt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	ceuozvjjvt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	ceuozvjjvt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	ceuozvjjvt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2604	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2760	uxygyynguabxokb.exe
2580	pxcieuhc.exe
2580	pxcieuhc.exe
2580	pxcieuhc.exe
2580	pxcieuhc.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2760	uxygyynguabxokb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe
Token: SeShutdownPrivilege	2648	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2580	pxcieuhc.exe
2580	pxcieuhc.exe
2580	pxcieuhc.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2292	804c591d6ff5b6254b2830e7095c5616.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2768	ceuozvjjvt.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2760	uxygyynguabxokb.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2808	jarzbhjfmsian.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2832	pxcieuhc.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2768	2292	804c591d6ff5b6254b2830e7095c5616.exe	28
PID 2292 wrote to memory of 2768	2292	804c591d6ff5b6254b2830e7095c5616.exe	28
PID 2292 wrote to memory of 2768	2292	804c591d6ff5b6254b2830e7095c5616.exe	28
PID 2292 wrote to memory of 2768	2292	804c591d6ff5b6254b2830e7095c5616.exe	28
PID 2292 wrote to memory of 2760	2292	804c591d6ff5b6254b2830e7095c5616.exe	29
PID 2292 wrote to memory of 2760	2292	804c591d6ff5b6254b2830e7095c5616.exe	29
PID 2292 wrote to memory of 2760	2292	804c591d6ff5b6254b2830e7095c5616.exe	29
PID 2292 wrote to memory of 2760	2292	804c591d6ff5b6254b2830e7095c5616.exe	29
PID 2292 wrote to memory of 2832	2292	804c591d6ff5b6254b2830e7095c5616.exe	30
PID 2292 wrote to memory of 2832	2292	804c591d6ff5b6254b2830e7095c5616.exe	30
PID 2292 wrote to memory of 2832	2292	804c591d6ff5b6254b2830e7095c5616.exe	30
PID 2292 wrote to memory of 2832	2292	804c591d6ff5b6254b2830e7095c5616.exe	30
PID 2292 wrote to memory of 2808	2292	804c591d6ff5b6254b2830e7095c5616.exe	31
PID 2292 wrote to memory of 2808	2292	804c591d6ff5b6254b2830e7095c5616.exe	31
PID 2292 wrote to memory of 2808	2292	804c591d6ff5b6254b2830e7095c5616.exe	31
PID 2292 wrote to memory of 2808	2292	804c591d6ff5b6254b2830e7095c5616.exe	31
PID 2768 wrote to memory of 2580	2768	ceuozvjjvt.exe	32
PID 2768 wrote to memory of 2580	2768	ceuozvjjvt.exe	32
PID 2768 wrote to memory of 2580	2768	ceuozvjjvt.exe	32
PID 2768 wrote to memory of 2580	2768	ceuozvjjvt.exe	32
PID 2292 wrote to memory of 2604	2292	804c591d6ff5b6254b2830e7095c5616.exe	33
PID 2292 wrote to memory of 2604	2292	804c591d6ff5b6254b2830e7095c5616.exe	33
PID 2292 wrote to memory of 2604	2292	804c591d6ff5b6254b2830e7095c5616.exe	33
PID 2292 wrote to memory of 2604	2292	804c591d6ff5b6254b2830e7095c5616.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\804c591d6ff5b6254b2830e7095c5616.exe
"C:\Users\Admin\AppData\Local\Temp\804c591d6ff5b6254b2830e7095c5616.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\ceuozvjjvt.exe
  ceuozvjjvt.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\pxcieuhc.exe
    C:\Windows\system32\pxcieuhc.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2580
- C:\Windows\SysWOW64\uxygyynguabxokb.exe
  uxygyynguabxokb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2760
- C:\Windows\SysWOW64\pxcieuhc.exe
  pxcieuhc.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2832
- C:\Windows\SysWOW64\jarzbhjfmsian.exe
  jarzbhjfmsian.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2808
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
d857e6cdccf645b75bb08e6d0bc3d808

SHA1
1f6c865e00e89aaaf691ce3caf8ba4307b8f5538

SHA256
d4b4e62b23ee6649a1bdb6c87a631606b3a614dd3b0485e9592cda1c9d063f52

SHA512
378dd0df647187db19b86708fa3d129c69a54e26963b46ab5f8936a3855626ac6cf978faebf95605816133030d252b786052e7181ba13575b21957d56f5414e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
81915d00849bb628247d209da0ae2821

SHA1
831f691886adbce50da7b0da79b0694d5e075998

SHA256
b7d101886cb80a456e276c01dfaafc57660da68c82cebbfc90545f9b1a861232

SHA512
ce3f583ef651765329c6751bd64c7d004bfdd71ca8e487ad21b94e375b3b5c46328319879bb1bc49aab684edd9a6f3d5443dc3cce85c722b98c9299b2274d21a

Download Submit
C:\Windows\SysWOW64\jarzbhjfmsian.exe

Filesize
512KB

MD5
a61e2e5e5f3591edb59c722ad9ee052d

SHA1
c397dcd292958952a1ce203c57cdfec6db003c01

SHA256
9dfaecb1ef46f376ccaa926ecd9c1883cbe490c23f3be528396ed5f388def510

SHA512
eec8780743395f571bfb0d7b6c1e71ad890b2d22cb4fff11ce4a460a2923d7e89e6b99eb98891e5c74653f63e0dd0b32a3ed458ed3f81001ee088b645487c82f

Download Submit
C:\Windows\SysWOW64\pxcieuhc.exe

Filesize
512KB

MD5
fcf125a22fc8aff63e07e87cb2dddaba

SHA1
62524dd62155bf7a75a93c7e0acdfee5f8d4b975

SHA256
9dc763d6d7b50c7fe34a388510373c2a231a1caddadcebc5569ba59c4cc815e4

SHA512
3442f0fbe6b30d095c32e0e9469a1cc96c8aea786f1818c4fe79c2aa029db58f599f4cb193f9d010a570231226b59036dcaceafa2d94ce343019ceef3aca91dd

Download Submit
C:\Windows\SysWOW64\uxygyynguabxokb.exe

Filesize
512KB

MD5
9c21741882498b251be6068641a905af

SHA1
e6431d49400f8636e358b5d6c69d058aee913f49

SHA256
da5f6f622f626e9d4dc040d5d28d93816d095b3c1da8413d8e49ddb6a23e4683

SHA512
f732bbf22728278dce6d379d9bae951d4470903ee6f25ed80718e1f112ffdbd33e78be18a27813b4638b6e8204a5afd54f813a12a786c9c0d3ad1aef58c03060

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\ceuozvjjvt.exe

Filesize
512KB

MD5
bb61567a9070adc596ce21b407ac097f

SHA1
4d65c8110d1890db7bd26cf9c7f9187e4de022b5

SHA256
f4c73abdbeded1601bd143da73d425fb6d38835aff362989de198174cf5f7a61

SHA512
95dd0a98e44c3cccb352e700bf4799f893640402988d8b9c24dbb150685f3b1f7bc880b23f3ca7582f523e82b7c4cf4aff8d1aee62123a96ae0dae7a3c922a6c

Download Submit
memory/2292-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2604-45-0x000000002FEF1000-0x000000002FEF2000-memory.dmp

Filesize
4KB

Download
memory/2604-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2604-47-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2604-78-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2648-77-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2648-80-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2648-85-0x0000000002730000-0x0000000002740000-memory.dmp

Filesize
64KB

Download