47c941d290649db65bb691f83c02134889baa324904154945907e581efd2a140

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-02-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85bb1afcb209c6e462a5a0758e02886a.exe
Size

512KB
MD5

85bb1afcb209c6e462a5a0758e02886a
SHA1

d71024ae4d476663e9e9d42698515ff16726f7cb
SHA256

47c941d290649db65bb691f83c02134889baa324904154945907e581efd2a140
SHA512

f919243840bdbf682f120bb83858b86f69c830b708519a5f825801d686c3dd40203776d2e5a082985d343be3daf6ce9ac0e64028aa358bc882eeeaa940143215
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6w:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm51

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	gixrkasrlo.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gixrkasrlo.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gixrkasrlo.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gixrkasrlo.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2776	gixrkasrlo.exe
2720	yfxyrsmewtoiksc.exe
2700	esszfnzk.exe
2728	nemzvznannupl.exe
2808	esszfnzk.exe

Loads dropped DLL 5 IoCs

pid	Process
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
2776	gixrkasrlo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gixrkasrlo.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gnnbdnjc = "yfxyrsmewtoiksc.exe"	yfxyrsmewtoiksc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nemzvznannupl.exe"	yfxyrsmewtoiksc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cnydivtz = "gixrkasrlo.exe"	yfxyrsmewtoiksc.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	esszfnzk.exe
File opened (read-only)	\??\k:	esszfnzk.exe
File opened (read-only)	\??\n:	esszfnzk.exe
File opened (read-only)	\??\i:	gixrkasrlo.exe
File opened (read-only)	\??\e:	esszfnzk.exe
File opened (read-only)	\??\h:	esszfnzk.exe
File opened (read-only)	\??\u:	esszfnzk.exe
File opened (read-only)	\??\a:	esszfnzk.exe
File opened (read-only)	\??\w:	esszfnzk.exe
File opened (read-only)	\??\s:	esszfnzk.exe
File opened (read-only)	\??\v:	esszfnzk.exe
File opened (read-only)	\??\o:	gixrkasrlo.exe
File opened (read-only)	\??\b:	esszfnzk.exe
File opened (read-only)	\??\g:	esszfnzk.exe
File opened (read-only)	\??\j:	esszfnzk.exe
File opened (read-only)	\??\w:	esszfnzk.exe
File opened (read-only)	\??\k:	gixrkasrlo.exe
File opened (read-only)	\??\o:	esszfnzk.exe
File opened (read-only)	\??\r:	esszfnzk.exe
File opened (read-only)	\??\x:	esszfnzk.exe
File opened (read-only)	\??\o:	esszfnzk.exe
File opened (read-only)	\??\e:	gixrkasrlo.exe
File opened (read-only)	\??\l:	gixrkasrlo.exe
File opened (read-only)	\??\u:	gixrkasrlo.exe
File opened (read-only)	\??\w:	gixrkasrlo.exe
File opened (read-only)	\??\i:	esszfnzk.exe
File opened (read-only)	\??\j:	gixrkasrlo.exe
File opened (read-only)	\??\k:	esszfnzk.exe
File opened (read-only)	\??\q:	esszfnzk.exe
File opened (read-only)	\??\v:	gixrkasrlo.exe
File opened (read-only)	\??\t:	esszfnzk.exe
File opened (read-only)	\??\h:	esszfnzk.exe
File opened (read-only)	\??\u:	esszfnzk.exe
File opened (read-only)	\??\t:	gixrkasrlo.exe
File opened (read-only)	\??\n:	esszfnzk.exe
File opened (read-only)	\??\p:	esszfnzk.exe
File opened (read-only)	\??\r:	esszfnzk.exe
File opened (read-only)	\??\x:	esszfnzk.exe
File opened (read-only)	\??\r:	gixrkasrlo.exe
File opened (read-only)	\??\q:	esszfnzk.exe
File opened (read-only)	\??\j:	esszfnzk.exe
File opened (read-only)	\??\b:	gixrkasrlo.exe
File opened (read-only)	\??\q:	gixrkasrlo.exe
File opened (read-only)	\??\p:	esszfnzk.exe
File opened (read-only)	\??\v:	esszfnzk.exe
File opened (read-only)	\??\y:	esszfnzk.exe
File opened (read-only)	\??\z:	esszfnzk.exe
File opened (read-only)	\??\a:	gixrkasrlo.exe
File opened (read-only)	\??\h:	gixrkasrlo.exe
File opened (read-only)	\??\z:	gixrkasrlo.exe
File opened (read-only)	\??\a:	esszfnzk.exe
File opened (read-only)	\??\l:	esszfnzk.exe
File opened (read-only)	\??\y:	esszfnzk.exe
File opened (read-only)	\??\z:	esszfnzk.exe
File opened (read-only)	\??\l:	esszfnzk.exe
File opened (read-only)	\??\t:	esszfnzk.exe
File opened (read-only)	\??\g:	gixrkasrlo.exe
File opened (read-only)	\??\y:	gixrkasrlo.exe
File opened (read-only)	\??\b:	esszfnzk.exe
File opened (read-only)	\??\e:	esszfnzk.exe
File opened (read-only)	\??\i:	esszfnzk.exe
File opened (read-only)	\??\p:	gixrkasrlo.exe
File opened (read-only)	\??\s:	gixrkasrlo.exe
File opened (read-only)	\??\m:	esszfnzk.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	gixrkasrlo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	gixrkasrlo.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b00000001224e-20.dat	autoit_exe
behavioral1/files/0x000b00000001224e-17.dat	autoit_exe
behavioral1/files/0x000a000000015cb3-25.dat	autoit_exe
behavioral1/files/0x000a000000015cb3-21.dat	autoit_exe
behavioral1/files/0x0038000000015d2f-31.dat	autoit_exe
behavioral1/files/0x000b00000001224e-27.dat	autoit_exe
behavioral1/files/0x0007000000015d70-38.dat	autoit_exe
behavioral1/files/0x0007000000015d70-44.dat	autoit_exe
behavioral1/files/0x0038000000015d2f-42.dat	autoit_exe
behavioral1/files/0x0038000000015d2f-41.dat	autoit_exe
behavioral1/files/0x0038000000015d2f-40.dat	autoit_exe
behavioral1/files/0x0007000000015d70-34.dat	autoit_exe
behavioral1/files/0x000a000000015cb3-33.dat	autoit_exe
behavioral1/files/0x0038000000015d2f-28.dat	autoit_exe
behavioral1/files/0x000a000000015cb3-5.dat	autoit_exe
behavioral1/files/0x0006000000016da2-73.dat	autoit_exe
behavioral1/files/0x0006000000016db6-76.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gixrkasrlo.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File created	C:\Windows\SysWOW64\esszfnzk.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File created	C:\Windows\SysWOW64\nemzvznannupl.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File opened for modification	C:\Windows\SysWOW64\nemzvznannupl.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	gixrkasrlo.exe
File opened for modification	C:\Windows\SysWOW64\gixrkasrlo.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File created	C:\Windows\SysWOW64\yfxyrsmewtoiksc.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File opened for modification	C:\Windows\SysWOW64\yfxyrsmewtoiksc.exe	85bb1afcb209c6e462a5a0758e02886a.exe
File opened for modification	C:\Windows\SysWOW64\esszfnzk.exe	85bb1afcb209c6e462a5a0758e02886a.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	esszfnzk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	esszfnzk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	esszfnzk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	esszfnzk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	esszfnzk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	esszfnzk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	esszfnzk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	85bb1afcb209c6e462a5a0758e02886a.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	gixrkasrlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F26BC2FF6D21DCD279D1A88B7D9060"	85bb1afcb209c6e462a5a0758e02886a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	gixrkasrlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	gixrkasrlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	gixrkasrlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2720	yfxyrsmewtoiksc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe
Token: SeShutdownPrivilege	384	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
1680	85bb1afcb209c6e462a5a0758e02886a.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2776	gixrkasrlo.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2720	yfxyrsmewtoiksc.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2700	esszfnzk.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2728	nemzvznannupl.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
2808	esszfnzk.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe
384	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2616	WINWORD.EXE
2616	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2776	1680	85bb1afcb209c6e462a5a0758e02886a.exe	33
PID 1680 wrote to memory of 2776	1680	85bb1afcb209c6e462a5a0758e02886a.exe	33
PID 1680 wrote to memory of 2776	1680	85bb1afcb209c6e462a5a0758e02886a.exe	33
PID 1680 wrote to memory of 2776	1680	85bb1afcb209c6e462a5a0758e02886a.exe	33
PID 1680 wrote to memory of 2720	1680	85bb1afcb209c6e462a5a0758e02886a.exe	28
PID 1680 wrote to memory of 2720	1680	85bb1afcb209c6e462a5a0758e02886a.exe	28
PID 1680 wrote to memory of 2720	1680	85bb1afcb209c6e462a5a0758e02886a.exe	28
PID 1680 wrote to memory of 2720	1680	85bb1afcb209c6e462a5a0758e02886a.exe	28
PID 1680 wrote to memory of 2700	1680	85bb1afcb209c6e462a5a0758e02886a.exe	32
PID 1680 wrote to memory of 2700	1680	85bb1afcb209c6e462a5a0758e02886a.exe	32
PID 1680 wrote to memory of 2700	1680	85bb1afcb209c6e462a5a0758e02886a.exe	32
PID 1680 wrote to memory of 2700	1680	85bb1afcb209c6e462a5a0758e02886a.exe	32
PID 1680 wrote to memory of 2728	1680	85bb1afcb209c6e462a5a0758e02886a.exe	30
PID 1680 wrote to memory of 2728	1680	85bb1afcb209c6e462a5a0758e02886a.exe	30
PID 1680 wrote to memory of 2728	1680	85bb1afcb209c6e462a5a0758e02886a.exe	30
PID 1680 wrote to memory of 2728	1680	85bb1afcb209c6e462a5a0758e02886a.exe	30
PID 2776 wrote to memory of 2808	2776	gixrkasrlo.exe	29
PID 2776 wrote to memory of 2808	2776	gixrkasrlo.exe	29
PID 2776 wrote to memory of 2808	2776	gixrkasrlo.exe	29
PID 2776 wrote to memory of 2808	2776	gixrkasrlo.exe	29
PID 1680 wrote to memory of 2616	1680	85bb1afcb209c6e462a5a0758e02886a.exe	31
PID 1680 wrote to memory of 2616	1680	85bb1afcb209c6e462a5a0758e02886a.exe	31
PID 1680 wrote to memory of 2616	1680	85bb1afcb209c6e462a5a0758e02886a.exe	31
PID 1680 wrote to memory of 2616	1680	85bb1afcb209c6e462a5a0758e02886a.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85bb1afcb209c6e462a5a0758e02886a.exe
"C:\Users\Admin\AppData\Local\Temp\85bb1afcb209c6e462a5a0758e02886a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\yfxyrsmewtoiksc.exe
  yfxyrsmewtoiksc.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2720
- C:\Windows\SysWOW64\nemzvznannupl.exe
  nemzvznannupl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2728
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2616
- C:\Windows\SysWOW64\esszfnzk.exe
  esszfnzk.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2700
- C:\Windows\SysWOW64\gixrkasrlo.exe
  gixrkasrlo.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2776

C:\Windows\SysWOW64\esszfnzk.exe
C:\Windows\system32\esszfnzk.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
61ff4d93047f3f7a170294deaccc4ba5

SHA1
88edcaa816530a597ec8a52a5117f55b1923ba6f

SHA256
1c9c8bff1f985692b0d0ddda17d39f8453dc811d16e067772cec9d4c680b5382

SHA512
785cf78b673c27fd19b51c15068e43322718506adf714de5ab19d08a1722c921d19472f52923363abbe94b8eda39805b97b765a55df62845f5ce543d9dd6a567

Download Submit
C:\Users\Admin\Documents\TraceRequest.doc.exe

Filesize
512KB

MD5
f091544c83adbf716b9c177e032685eb

SHA1
3198a80ba5a084706b20e564a6c6060b51fdb160

SHA256
24be84e8b2ffc1dd623f733b32d025d33eea011f0a4716e4d3373a5ae918f4e1

SHA512
df9f781af813c118cd792c47408c1b04212511d802db9b78d57a67643dd79e68552d9a550f5b029cebfed106af039198c2579bbd9f93bafae5cd2e6dd563ee95

Download Submit
C:\Windows\SysWOW64\esszfnzk.exe

Filesize
190KB

MD5
9a626263cf3e98947e52aac646a275e0

SHA1
9cd2dabcbe823281b7e092f26bbb148f61271a6f

SHA256
21143a599d34881b5f146b546cc0e97192c9ff2ef47baa0b3d5294dc5626226e

SHA512
994e142d0e4a6def28eef92f395f65cff11c0bc5bacbcda2f1d59e8bcc97d4d5931707666d705bef12f9f8094cffa2d4bfe94aece076626ffbed4e4785be95d8

Download Submit
C:\Windows\SysWOW64\esszfnzk.exe

Filesize
183KB

MD5
f717fb83346e4618a82e35026e3b2a04

SHA1
8d5cc798f8387f8827154454c60b22db2877cf5e

SHA256
aa8f7680b17bfaa4987664091615c074f99be7bca35b214907152281cca9f74e

SHA512
5cba90d846e0c53798d7278e798d6a3cdf4a26ba38e326092ce027f022b14b77d6e266bad688a0cc0f586760aaa0da2b9259ae494b3d6131b3001c3f98dd6dcf

Download Submit
C:\Windows\SysWOW64\esszfnzk.exe

Filesize
238KB

MD5
f7109e879766c32ba1b95016f4c5e449

SHA1
146859ac2efaee0343878110dd4a362e0c3baf3d

SHA256
67b01429c8945c90a6a2d2a2c411763c1b9d39673bb5273dbe75febecdabf106

SHA512
788739b9c035d8c09020e6d1e2824253e2343991238bd5106fa349b07a49d2da0b69cdea51c158f3282ce0fab87c8ae9cc578b0bf60a5511432e0202fbb7f449

Download Submit
C:\Windows\SysWOW64\gixrkasrlo.exe

Filesize
178KB

MD5
16bed59f2c3f38da38450429d7b98dc5

SHA1
3c076afbbaa35a499c74189025f7a3bde2662aa8

SHA256
86fc1caf04d029fec3edc67b291dd71bf9b4127402004e7a979b15c70eda759a

SHA512
d5bc3bbfe5dcd3df8e5d6f71402efd18907ff67d7f9e574f8137b62d68a65229f75df341dce7060934d62ebd0aed0ddca83af8557e7f0ef307adfc03f35d21f8

Download Submit
C:\Windows\SysWOW64\gixrkasrlo.exe

Filesize
170KB

MD5
76dd1cd0113237826065945b7ae005f6

SHA1
dcaf0427712fc24228408c7f8d64100b30574460

SHA256
4f3fe4287d45493bb19d8e23bec6939f78892a3c61f7eaef53e7f1fcaa932840

SHA512
a1be3b9b055ac0bf5efb77f6b84608a4ddf29e568b4c9c9ff7b78d72f2aab07cbc86785ab244b7fda3a5bc45a59578556e48ca1cb4a50e5857776127acc0983f

Download Submit
C:\Windows\SysWOW64\nemzvznannupl.exe

Filesize
196KB

MD5
79fb08a8df561b2213c047e94abd0978

SHA1
c4986169667a66b40e8722f60305d4467965fc64

SHA256
33372f12246c9127ded2dff174d0c66d53b0975bb72b4e31487aa2e76daa113e

SHA512
82f564e9d89ed7ba5e9b56b018a76e49d0aac3f829b5d50a82ea51593dd2f661806de809c04cd50bfaa3eeb007d84915c4f86d5c7eaa65eb53254430aa7a5a52

Download Submit
C:\Windows\SysWOW64\nemzvznannupl.exe

Filesize
249KB

MD5
b8a48aede83b50b9061aedc1f7b1c006

SHA1
be581861a62ae908fbddce47a54eb959f99c1c95

SHA256
9e60637e73270b2a1df7170c63562fe1cc10c6f3d5b7a2cf3849e0dab5631379

SHA512
b15059ad6c48bbc4fbbbe11d3f813904aad957c9c47724b0bef812192f0097f066bfa5435425523b9cb94fe6b89211d3d70135054df7ad323d7183df5bf4bbc5

Download Submit
C:\Windows\SysWOW64\yfxyrsmewtoiksc.exe

Filesize
181KB

MD5
58d331817e257477a8e2b15778f42d4b

SHA1
e0ea43e978df7613a3c36dea39e7ff9d388cd46c

SHA256
cd74c1f8e4c1e3f2f751a51ac47e3197c667ee58c50ce3db1a3048ff040f08ad

SHA512
bff6a93977ad471b76309ea4678304fd3f2d9444a3b194847568e1327e026e592c130169ccc7fd37868ecfcbfdad313ac27757fa9370e2b30eaba385569c8243

Download Submit
C:\Windows\SysWOW64\yfxyrsmewtoiksc.exe

Filesize
161KB

MD5
7b2bcb716a48c1a5d134fecbe5ce8d0b

SHA1
9061e50e48f667b53c83e978abd3157162c52aa8

SHA256
ed21c7bf27658a530cc0598c89433def91e7649c47960f7332a502ff1fd9d764

SHA512
0dc85f7ab7147e110c8779c1c8b64bccfa17a5a8d1e6d5cb3123488f283372fb6b2aa40c960fa279244ed5df16e87d2dc5fc93519b2e00b85aa351017b4a2514

Download Submit
C:\Windows\SysWOW64\yfxyrsmewtoiksc.exe

Filesize
279KB

MD5
0d4c89e29c3d7acfc57acfc81f154a69

SHA1
18aae41edda2c74f17f44cf096188f956bcea684

SHA256
d1b66b61681b5219476acd899874ba9643ddacec6207d986d6f958cd3796cfe8

SHA512
6bb1812cbfaf28875c1ce21a03a90f23f328670ca871a603768444f32cd32d8acf5bbf8a5365f7cd4b599813c6f734fe19fa4b7b48828613d5f3c306e358c91c

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\esszfnzk.exe

Filesize
274KB

MD5
ce3b275b3fa2ab79810d80a57c8fd204

SHA1
9feebbb10ec7c7c6d264e63c965b0ceac651af28

SHA256
c6aef3b275e922c11acfbecfa02c178bfcb8bf475f345112409996e8c7d3fec8

SHA512
591e727531243d5ee06f30a6fd9d65196e114c6ae983d308737f3f124c7052bca9b092c7c7ed78a023cfef902503c49b3b95ee8aeb337f8825eecf6d684dcf62

Download Submit
\Windows\SysWOW64\esszfnzk.exe

Filesize
224KB

MD5
acebbfc910336d2c085bd3de720c897a

SHA1
ce5b24ca430a889dfa9f5a67a218cc13aefff82e

SHA256
17737c0172102ce9094edc16edcde80857aea4390fd87f7fa58afa203be51ac7

SHA512
65420f6fdec90ff3905472fe480b0625a8285c01020c9bfbb3ffb44c0f8bcf066b9f371b0a4c584d2a6abcf092b0c9dff923d0bc6a2089ea85301df21a9a5c58

Download Submit
\Windows\SysWOW64\gixrkasrlo.exe

Filesize
260KB

MD5
ead4c3a22737e3c6fa9964d8933bfd9f

SHA1
ede6cef904a2eb177c747571e7cd2738ce055fcf

SHA256
52652914cb6de57e153ea90b807b4a5180cc3018bbaa3edc15623af3f55b01e0

SHA512
6d55af68a60d4d91dff4b0f8fc1eb540f312d6bc3726a13000ac2acc4c4cf3a48038de80336db896afafa85d3fa2c178007432284ef5db6d311b9fdad0fbab93

Download Submit
\Windows\SysWOW64\nemzvznannupl.exe

Filesize
164KB

MD5
6e5e89cabde1e5dbc8eb170dbd41b55f

SHA1
7a52466af6161daaed328a41aa973ad77ce6cceb

SHA256
6af00648dc1631456431c04f7350e3bc15dfec9d85f0427c76e13d8866a6ca72

SHA512
751687bbb27e4a9e39b388aa2b80380721ad5dd94987c10e300ced034f6235c8b85d144e17e1beba1d482d761494fcd34da185214796fcd042914b0992629fd8

Download Submit
\Windows\SysWOW64\yfxyrsmewtoiksc.exe

Filesize
217KB

MD5
a2d006ad8047252a730c3ad3851dfaf8

SHA1
a863a4ef62d01cfd496edbf039029cb1df4ed745

SHA256
238a7b152307e51eb85eeca59b0721f740d7d2950d7d2361aee756b0144b2893

SHA512
4a06b4b88552fd6274fee74126022a1de6b0aa4a6cbedc95b37e9c61fbaeaa16951c0e70132c9cd9068d3a4a61d837975aaf9e52b328e639c66a7e6c720fc606

Download Submit
memory/384-78-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/384-81-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/384-86-0x00000000029A0000-0x00000000029B0000-memory.dmp

Filesize
64KB

Download
memory/1680-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2616-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-47-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download
memory/2616-45-0x000000002FAE1000-0x000000002FAE2000-memory.dmp

Filesize
4KB

Download
memory/2616-79-0x0000000070B9D000-0x0000000070BA8000-memory.dmp

Filesize
44KB

Download