69347a80b962904a59cc1114412832f2449c79f5601468d5e424dda355aa2296

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98705b5a907f1a691359259b19b16d3d.exe
Size

512KB
MD5

98705b5a907f1a691359259b19b16d3d
SHA1

baef9e414aa721ec9c310a32c78b1160ab99f48b
SHA256

69347a80b962904a59cc1114412832f2449c79f5601468d5e424dda355aa2296
SHA512

44d4b37bd5d1d2da6065e062f7b549c966d177e960358ed46caee459d1df7ad954b4ae04fa8affdba0a5713e926d5a21847ace76af08a0683c334e6b20949598
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj66:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mehxrtslky.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mehxrtslky.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mehxrtslky.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mehxrtslky.exe

Executes dropped EXE 5 IoCs

pid	Process
2704	mehxrtslky.exe
2748	gpkhxgzkrjrtecj.exe
2972	oymjdadw.exe
2036	koxahpblxdfhn.exe
2868	oymjdadw.exe

Loads dropped DLL 5 IoCs

pid	Process
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2704	mehxrtslky.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mehxrtslky.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vtxdzirg = "mehxrtslky.exe"	gpkhxgzkrjrtecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ohgwytot = "gpkhxgzkrjrtecj.exe"	gpkhxgzkrjrtecj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "koxahpblxdfhn.exe"	gpkhxgzkrjrtecj.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	mehxrtslky.exe
File opened (read-only)	\??\r:	oymjdadw.exe
File opened (read-only)	\??\u:	oymjdadw.exe
File opened (read-only)	\??\a:	oymjdadw.exe
File opened (read-only)	\??\l:	oymjdadw.exe
File opened (read-only)	\??\j:	mehxrtslky.exe
File opened (read-only)	\??\l:	mehxrtslky.exe
File opened (read-only)	\??\j:	oymjdadw.exe
File opened (read-only)	\??\n:	oymjdadw.exe
File opened (read-only)	\??\z:	oymjdadw.exe
File opened (read-only)	\??\s:	mehxrtslky.exe
File opened (read-only)	\??\z:	oymjdadw.exe
File opened (read-only)	\??\g:	oymjdadw.exe
File opened (read-only)	\??\i:	oymjdadw.exe
File opened (read-only)	\??\r:	oymjdadw.exe
File opened (read-only)	\??\x:	oymjdadw.exe
File opened (read-only)	\??\o:	oymjdadw.exe
File opened (read-only)	\??\w:	oymjdadw.exe
File opened (read-only)	\??\u:	mehxrtslky.exe
File opened (read-only)	\??\e:	oymjdadw.exe
File opened (read-only)	\??\h:	oymjdadw.exe
File opened (read-only)	\??\n:	oymjdadw.exe
File opened (read-only)	\??\x:	oymjdadw.exe
File opened (read-only)	\??\o:	mehxrtslky.exe
File opened (read-only)	\??\x:	mehxrtslky.exe
File opened (read-only)	\??\a:	oymjdadw.exe
File opened (read-only)	\??\g:	oymjdadw.exe
File opened (read-only)	\??\q:	oymjdadw.exe
File opened (read-only)	\??\v:	oymjdadw.exe
File opened (read-only)	\??\k:	mehxrtslky.exe
File opened (read-only)	\??\l:	oymjdadw.exe
File opened (read-only)	\??\s:	oymjdadw.exe
File opened (read-only)	\??\u:	oymjdadw.exe
File opened (read-only)	\??\y:	oymjdadw.exe
File opened (read-only)	\??\p:	mehxrtslky.exe
File opened (read-only)	\??\y:	mehxrtslky.exe
File opened (read-only)	\??\z:	mehxrtslky.exe
File opened (read-only)	\??\j:	oymjdadw.exe
File opened (read-only)	\??\b:	oymjdadw.exe
File opened (read-only)	\??\k:	oymjdadw.exe
File opened (read-only)	\??\m:	oymjdadw.exe
File opened (read-only)	\??\s:	oymjdadw.exe
File opened (read-only)	\??\n:	mehxrtslky.exe
File opened (read-only)	\??\i:	oymjdadw.exe
File opened (read-only)	\??\p:	oymjdadw.exe
File opened (read-only)	\??\a:	mehxrtslky.exe
File opened (read-only)	\??\b:	mehxrtslky.exe
File opened (read-only)	\??\t:	mehxrtslky.exe
File opened (read-only)	\??\h:	oymjdadw.exe
File opened (read-only)	\??\t:	oymjdadw.exe
File opened (read-only)	\??\v:	oymjdadw.exe
File opened (read-only)	\??\t:	oymjdadw.exe
File opened (read-only)	\??\w:	mehxrtslky.exe
File opened (read-only)	\??\o:	oymjdadw.exe
File opened (read-only)	\??\w:	oymjdadw.exe
File opened (read-only)	\??\e:	mehxrtslky.exe
File opened (read-only)	\??\v:	mehxrtslky.exe
File opened (read-only)	\??\p:	oymjdadw.exe
File opened (read-only)	\??\q:	oymjdadw.exe
File opened (read-only)	\??\y:	oymjdadw.exe
File opened (read-only)	\??\m:	mehxrtslky.exe
File opened (read-only)	\??\q:	mehxrtslky.exe
File opened (read-only)	\??\r:	mehxrtslky.exe
File opened (read-only)	\??\e:	oymjdadw.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	mehxrtslky.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	mehxrtslky.exe

AutoIT Executable 19 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2056-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000e00000001224c-17.dat	autoit_exe
behavioral1/files/0x000e00000001224c-20.dat	autoit_exe
behavioral1/files/0x00300000000146c8-32.dat	autoit_exe
behavioral1/files/0x00080000000122c9-30.dat	autoit_exe
behavioral1/files/0x0007000000014a56-38.dat	autoit_exe
behavioral1/files/0x0007000000014a56-33.dat	autoit_exe
behavioral1/files/0x0007000000014a56-41.dat	autoit_exe
behavioral1/files/0x00300000000146c8-40.dat	autoit_exe
behavioral1/files/0x00300000000146c8-28.dat	autoit_exe
behavioral1/files/0x00080000000122c9-26.dat	autoit_exe
behavioral1/files/0x000e00000001224c-24.dat	autoit_exe
behavioral1/files/0x00080000000122c9-22.dat	autoit_exe
behavioral1/files/0x00300000000146c8-43.dat	autoit_exe
behavioral1/files/0x00300000000146c8-42.dat	autoit_exe
behavioral1/files/0x00080000000122c9-5.dat	autoit_exe
behavioral1/files/0x0006000000015f68-72.dat	autoit_exe
behavioral1/files/0x0006000000015ea4-66.dat	autoit_exe
behavioral1/files/0x0006000000015fdb-77.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\gpkhxgzkrjrtecj.exe	98705b5a907f1a691359259b19b16d3d.exe
File opened for modification	C:\Windows\SysWOW64\oymjdadw.exe	98705b5a907f1a691359259b19b16d3d.exe
File opened for modification	C:\Windows\SysWOW64\koxahpblxdfhn.exe	98705b5a907f1a691359259b19b16d3d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	mehxrtslky.exe
File created	C:\Windows\SysWOW64\mehxrtslky.exe	98705b5a907f1a691359259b19b16d3d.exe
File created	C:\Windows\SysWOW64\gpkhxgzkrjrtecj.exe	98705b5a907f1a691359259b19b16d3d.exe
File created	C:\Windows\SysWOW64\koxahpblxdfhn.exe	98705b5a907f1a691359259b19b16d3d.exe
File opened for modification	C:\Windows\SysWOW64\mehxrtslky.exe	98705b5a907f1a691359259b19b16d3d.exe
File created	C:\Windows\SysWOW64\oymjdadw.exe	98705b5a907f1a691359259b19b16d3d.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oymjdadw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oymjdadw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	oymjdadw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oymjdadw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oymjdadw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oymjdadw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	oymjdadw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	oymjdadw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	oymjdadw.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	98705b5a907f1a691359259b19b16d3d.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	mehxrtslky.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	mehxrtslky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	mehxrtslky.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184FC67915E5DBC7B9CD7FE0ED9137CD"	98705b5a907f1a691359259b19b16d3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	mehxrtslky.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B05847E339E853CABAD332EAD4BE"	98705b5a907f1a691359259b19b16d3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	mehxrtslky.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2168	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2868	oymjdadw.exe
2868	oymjdadw.exe
2868	oymjdadw.exe
2868	oymjdadw.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2748	gpkhxgzkrjrtecj.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2868	oymjdadw.exe
2868	oymjdadw.exe
2868	oymjdadw.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2056	98705b5a907f1a691359259b19b16d3d.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2704	mehxrtslky.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2748	gpkhxgzkrjrtecj.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2972	oymjdadw.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2036	koxahpblxdfhn.exe
2868	oymjdadw.exe
2868	oymjdadw.exe
2868	oymjdadw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2168	WINWORD.EXE
2168	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2704	2056	98705b5a907f1a691359259b19b16d3d.exe	19
PID 2056 wrote to memory of 2704	2056	98705b5a907f1a691359259b19b16d3d.exe	19
PID 2056 wrote to memory of 2704	2056	98705b5a907f1a691359259b19b16d3d.exe	19
PID 2056 wrote to memory of 2704	2056	98705b5a907f1a691359259b19b16d3d.exe	19
PID 2056 wrote to memory of 2748	2056	98705b5a907f1a691359259b19b16d3d.exe	16
PID 2056 wrote to memory of 2748	2056	98705b5a907f1a691359259b19b16d3d.exe	16
PID 2056 wrote to memory of 2748	2056	98705b5a907f1a691359259b19b16d3d.exe	16
PID 2056 wrote to memory of 2748	2056	98705b5a907f1a691359259b19b16d3d.exe	16
PID 2056 wrote to memory of 2972	2056	98705b5a907f1a691359259b19b16d3d.exe	14
PID 2056 wrote to memory of 2972	2056	98705b5a907f1a691359259b19b16d3d.exe	14
PID 2056 wrote to memory of 2972	2056	98705b5a907f1a691359259b19b16d3d.exe	14
PID 2056 wrote to memory of 2972	2056	98705b5a907f1a691359259b19b16d3d.exe	14
PID 2056 wrote to memory of 2036	2056	98705b5a907f1a691359259b19b16d3d.exe	15
PID 2056 wrote to memory of 2036	2056	98705b5a907f1a691359259b19b16d3d.exe	15
PID 2056 wrote to memory of 2036	2056	98705b5a907f1a691359259b19b16d3d.exe	15
PID 2056 wrote to memory of 2036	2056	98705b5a907f1a691359259b19b16d3d.exe	15
PID 2704 wrote to memory of 2868	2704	mehxrtslky.exe	17
PID 2704 wrote to memory of 2868	2704	mehxrtslky.exe	17
PID 2704 wrote to memory of 2868	2704	mehxrtslky.exe	17
PID 2704 wrote to memory of 2868	2704	mehxrtslky.exe	17
PID 2056 wrote to memory of 2168	2056	98705b5a907f1a691359259b19b16d3d.exe	18
PID 2056 wrote to memory of 2168	2056	98705b5a907f1a691359259b19b16d3d.exe	18
PID 2056 wrote to memory of 2168	2056	98705b5a907f1a691359259b19b16d3d.exe	18
PID 2056 wrote to memory of 2168	2056	98705b5a907f1a691359259b19b16d3d.exe	18
PID 2168 wrote to memory of 2228	2168	WINWORD.EXE	36
PID 2168 wrote to memory of 2228	2168	WINWORD.EXE	36
PID 2168 wrote to memory of 2228	2168	WINWORD.EXE	36
PID 2168 wrote to memory of 2228	2168	WINWORD.EXE	36

C:\Windows\SysWOW64\oymjdadw.exe
oymjdadw.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2972

C:\Windows\SysWOW64\koxahpblxdfhn.exe
koxahpblxdfhn.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036

C:\Windows\SysWOW64\gpkhxgzkrjrtecj.exe
gpkhxgzkrjrtecj.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2748

C:\Windows\SysWOW64\oymjdadw.exe
C:\Windows\system32\oymjdadw.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2228

C:\Windows\SysWOW64\mehxrtslky.exe
mehxrtslky.exe
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\98705b5a907f1a691359259b19b16d3d.exe
"C:\Users\Admin\AppData\Local\Temp\98705b5a907f1a691359259b19b16d3d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
27KB

MD5
114e91064c18c1733bc2db21626c91f6

SHA1
4a17aea35d2057e84e9178faffa3ade644206fd9

SHA256
d7d198612f03a0bb9ec99f3a73fa404c691e923253108dbcc2f3ea127bcabfd4

SHA512
134615691e1e3d061517743fcddb99b68e8d45bf5b8c51fbc7d17649ce152dcc48ba53e053724f854af028a9445421890b97bec09bccbc9153fa92f468542b78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
190KB

MD5
64fbc7106d6a57d14d2f811dbe7f1883

SHA1
893cc7b11d49748bf3978db761ff2f412234867d

SHA256
2c49cdb645dfccfade9187465304b966c827cbb0319f241a584a011aa0604e5e

SHA512
91e44b89ad92b3abe19d1b3777fa5b2c1f539967d2914f6bed8139b7cda36f901591eab5f82e3cb2c85cd0e10e6bf345d15acdba1a0f4dc1cbf21d64b83faf32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
16413d78e932e15aebfe834a1938fffe

SHA1
8ec0433fc548fcde9e94d9d1d5e8509162cc71e7

SHA256
6bd5481b930e4bed0441dc904d225364f60bef5423b6fe425a31a4b4182a9839

SHA512
197c4ac8888f09a72aba941859742037aa65a2bc7e1a192ccd64d22ec06bc09f81a4134de9fe8db95ffb2480ec3bee47de5ee0145b5211b836b710a092cf5cbe

Download Submit
C:\Users\Admin\Documents\RestartSelect.doc.exe

Filesize
512KB

MD5
7d0b34fd7d99f752d4ffde95f9604054

SHA1
e09d3ba84d34234d7b398ff7273b4d3026e8f415

SHA256
384ad45b44b0b989918cd4acc1bf2364e8a584c8fe99a06878ae85c86b263631

SHA512
a02a6c75871df50f5c73eefe817952ed3ce37a60a8c2207b88c86df9d0c2313f6c1fb49216e0a70a435ddded20baa71124aba919ffbc0a4e481b53c559c110f7

Download Submit
C:\Windows\SysWOW64\gpkhxgzkrjrtecj.exe

Filesize
111KB

MD5
cad39588f684468e2829c4f0944324e6

SHA1
704160bbe30b7ebe1b8392aecf7637723cf2d422

SHA256
3a4b1f779277c2265b64fbb7b429523f63e376ebbbd6aefdc1d3412da5f2aa34

SHA512
17d28f8652c85f7f7c607eec25da6c16458d3a34bbf31f715ded52b5c1d31c441c763806ce98ec57e3e1f17a70d711eb029782b1471361ac4aaacba8f1cab30a

Download Submit
C:\Windows\SysWOW64\gpkhxgzkrjrtecj.exe

Filesize
43KB

MD5
e5a14cf8b1e3da8863367dd894a92a86

SHA1
b28f5ad35ccb58172105fb067d2357abd9576b4c

SHA256
d9ae879a413f7d0fa7da7cf6f7ea2b6f5884207a12edf036bfa9044f8aa08924

SHA512
afa8ea614f00f945bddad3805308a3b20f45bfbae4e5d25f6e16c68c602d4230c0224752dd426276762f6cb8c3adf3e0fa1b460f6ef6e2b9292d08b9610585a3

Download Submit
C:\Windows\SysWOW64\gpkhxgzkrjrtecj.exe

Filesize
146KB

MD5
b93efce92db41f8badfc2bce79a12a01

SHA1
649af02f64a002a1ce6f43eaf76a94465190ea5f

SHA256
e07f00cd991f735b87e58ee3fb06b1005bd0a2384e281fd248d1cebe5be75f4c

SHA512
b8825b05ee57c5a7985a9cf945b349943072bc6db6a8b99239d946878121d5be3d8ec75ec6a50248317ee0f707b82811ad5134e51561142f8081b321fb60d72b

Download Submit
C:\Windows\SysWOW64\koxahpblxdfhn.exe

Filesize
60KB

MD5
e75cf856ebb5902df737f148f92557c1

SHA1
d78807cf8232ae474db89a0f289e29db2196ae4a

SHA256
346a367f02be125657b663d103d8f89d02c84037f1f3f46e54f5728bb62653cc

SHA512
b2489e58cf948c4ff8b5828b990bef5b54cbb72479d70c94d93709d993b6ac751740cd02ef3cea88ea01a762bb737c1b632f1f9bf1b31bda654c229101c1ddc6

Download Submit
C:\Windows\SysWOW64\koxahpblxdfhn.exe

Filesize
37KB

MD5
1ce2c9a9c5e5a3666bb40c27b2e54b62

SHA1
a0eda8e51a8107091219b4be5c181721981e32b0

SHA256
7c4b1e656117fc12393018349d43de477dd9182c613089f2b0f2973d4fda8d0d

SHA512
e7c477e8550045e853124438e40cd314fb7a2d80f2dffb3041dda01925d99dce0ae4d761baa7f3ba41e94b22db8175e3957903b17fa62a1c21a5a905b28d10c6

Download Submit
C:\Windows\SysWOW64\mehxrtslky.exe

Filesize
153KB

MD5
f7dd5344be0e2233f842833e85d5d37c

SHA1
877b1dd6a314d64094fcd332b68af965af66bc3c

SHA256
5c79ce0acc571e62d4eb56283e1d7e43a4664b0eebd923c193831e75c541f8c2

SHA512
cdc941ec439d4bfecfd4eae4fd2aa9a5908577d897700761b2aba44f4c7061507a140fa2518c96484379912fabde80d0a29ba2ed654a199d77ee4408a28bc336

Download Submit
C:\Windows\SysWOW64\mehxrtslky.exe

Filesize
97KB

MD5
db793aabf7272ceed16dbb5ac5fc6275

SHA1
8c5a40ace01bf73691d8f2d6987e0772e443f5b2

SHA256
b534755e647cb74bcc35180caab0a84bbb34e5e5c42ea5c58e8f50da45878dba

SHA512
ea8a040982de548bc9daa7c8e6733517f70b1a237edc7ea740c71a1cf1534ddf2730678a60de27e31378100fec47cc22d1d197584106e8e39cba94c163de5934

Download Submit
C:\Windows\SysWOW64\oymjdadw.exe

Filesize
49KB

MD5
3ef162347fc1613a270c468d01afcfac

SHA1
3a5c4787c41a99e6bd7fedc2bcc28d91a47ed71c

SHA256
f0a31673f8d6345a684602036005bc4b9b1530972be7553239ea2ff40f43e43f

SHA512
abf91287810257442cc78082552f7f576d1953c6b6fdd5feacb548ad489e80d51004e1d75295fbde43992d58ffb30ac3a2e4c8a276db13f9e11da29aa8f02530

Download Submit
C:\Windows\SysWOW64\oymjdadw.exe

Filesize
133KB

MD5
08d82d55bd8af400b715ac29eb27b3a7

SHA1
91b4cc1c5c8bb0cd5208478f8405541c0cf8a1a1

SHA256
b1e0364db410cf79de987a787ed1184db5bdbafe61e5c84c0f6a77458f0d811c

SHA512
512b1f3e366a245c152c8220feff161af47a73f8af00b5b0cbab1bf6d57f64d30b7b8b5fb87798e617a0d1bd42dae7e9100314985fb161ab51f1c16848afe372

Download Submit
C:\Windows\SysWOW64\oymjdadw.exe

Filesize
66KB

MD5
75bf854ea3d42255700548a03c60026d

SHA1
33bbb7230d58ffa3f04bb56c6c1dcb90cc09ead3

SHA256
beab59019f4cfc74edc284da84f579ce8dc5a01ec892aee404f5d17da0744c7e

SHA512
50126bdab764e9295ca92af2d7ec3757c0870a5547922ce69e13930b45f56d470bc94adf63c366772d43c0d046f46a7cdc60fdc49682626df499b87e14242f2c

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gpkhxgzkrjrtecj.exe

Filesize
145KB

MD5
36e6815c998988e0c4bc3c9a9644dd94

SHA1
5de87513653134a1d66c1919990938e4d2ceccc1

SHA256
9d12f29156208f62379de023eec2c0b92e35507d389589e2f05636f463916fbf

SHA512
f5048e74d8a90280186cc1cb6834dc0a516893f6f7af36965018f70b4fa808f351411d764f9e443757d801da71bfc34efd942a5f1879006d6e0dac8a15830bb1

Download Submit
\Windows\SysWOW64\koxahpblxdfhn.exe

Filesize
183KB

MD5
2218f6428f362635bab2d6df654d90db

SHA1
ffd8b0ec621572f920d5c61a7cc3331e3ea669ea

SHA256
5da10d16edf058e3ebca1bfbca1f715d1e09922261a9ac8b8631a545ba641eb9

SHA512
4ecc1277da42e0371506d54775f94a069b7366f4335c7f849ae2062e26ae2e681fb0537c18fca4bcd8522ea0e7ef25ba52b2eab1e407e4b111d20a792683fa9d

Download Submit
\Windows\SysWOW64\mehxrtslky.exe

Filesize
164KB

MD5
46b843f397f342861674ce8d79f282e6

SHA1
bb250b74354171fb175150a5ed464bdc4cf2f493

SHA256
cd0b80ad98e9bde1f49df25998448e6b1a1704c20f7de97739ef180511fb9eb1

SHA512
08f026412cc79c3f42dd7ec92b46ad0427f7f7080df91ea67715eccaa8ebaa78c30505865152275054a9117789b84dcdfaeb19778a9e1b5e6695f1352406de39

Download Submit
\Windows\SysWOW64\oymjdadw.exe

Filesize
66KB

MD5
a3c76a9b12868d508010402e3b98e13c

SHA1
d9a2da8713a2c10d0cad1cc06c8acbd8d83bbd24

SHA256
5c2bf144fc448ab072c13fa0befea847608e9823ee96be40b007401c3b263c75

SHA512
54b3999312f3aefe29a8e535de3601903149060bbc90f676ce4104f81ab4cebd04833c090bd57e1e5e4188cb008c6e80148fd4de9efd953eb3fee2e720ae1cd2

Download Submit
\Windows\SysWOW64\oymjdadw.exe

Filesize
67KB

MD5
c0de6b4a8ef42aae97bd9d4399cacb5b

SHA1
0357fe3517bb04ad996ba7086edfdc9a37132bf9

SHA256
5c9908ceea79b39c67029d72108637f43b018bc0777b38a60f58008ed8eb1e41

SHA512
e664d7fc52e56e285785757ffa248e7c97715c1f84f3174af8e42615071fdeb28eb926c389aa9880aae3563a0c6040c3682706c1fbbd493b79c843236b7d73a1

Download Submit
memory/2056-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2168-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2168-47-0x00000000715DD000-0x00000000715E8000-memory.dmp

Filesize
44KB

Download
memory/2168-45-0x000000002F211000-0x000000002F212000-memory.dmp

Filesize
4KB

Download
memory/2168-80-0x00000000715DD000-0x00000000715E8000-memory.dmp

Filesize
44KB

Download
memory/2168-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download