ddb31b24a277a00206e60773c5eeb75c647cf5567993ebca161464e4178761d7

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
Size

512KB
MD5

a0f2b4a2bfb0a5bd3280e599cd144cfa
SHA1

30fbf03869df269db13fc6729ccc429384427b11
SHA256

ddb31b24a277a00206e60773c5eeb75c647cf5567993ebca161464e4178761d7
SHA512

518c1ef922fe68a8b866dfde87fa4125d603fe780a434711a3d8d97b7f7ca327e9390e1eacb057c3a46b999d39f8c84d2880c8b54b16e5c743c1c49ed273bdd7
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6/:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5c

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	yfvwacsqaj.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yfvwacsqaj.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yfvwacsqaj.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yfvwacsqaj.exe

Executes dropped EXE 5 IoCs

pid	Process
2152	yfvwacsqaj.exe
2544	fsaqeizjgxtdtho.exe
2656	sotukimp.exe
2444	mgxjkayunodfp.exe
2792	sotukimp.exe

Loads dropped DLL 5 IoCs

pid	Process
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2152	yfvwacsqaj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yfvwacsqaj.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kzvjyvme = "yfvwacsqaj.exe"	fsaqeizjgxtdtho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vxmkbfrq = "fsaqeizjgxtdtho.exe"	fsaqeizjgxtdtho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mgxjkayunodfp.exe"	fsaqeizjgxtdtho.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	sotukimp.exe
File opened (read-only)	\??\m:	sotukimp.exe
File opened (read-only)	\??\w:	sotukimp.exe
File opened (read-only)	\??\q:	sotukimp.exe
File opened (read-only)	\??\u:	sotukimp.exe
File opened (read-only)	\??\v:	sotukimp.exe
File opened (read-only)	\??\a:	yfvwacsqaj.exe
File opened (read-only)	\??\b:	yfvwacsqaj.exe
File opened (read-only)	\??\b:	sotukimp.exe
File opened (read-only)	\??\r:	sotukimp.exe
File opened (read-only)	\??\y:	yfvwacsqaj.exe
File opened (read-only)	\??\e:	sotukimp.exe
File opened (read-only)	\??\w:	sotukimp.exe
File opened (read-only)	\??\a:	sotukimp.exe
File opened (read-only)	\??\e:	yfvwacsqaj.exe
File opened (read-only)	\??\i:	yfvwacsqaj.exe
File opened (read-only)	\??\n:	yfvwacsqaj.exe
File opened (read-only)	\??\q:	yfvwacsqaj.exe
File opened (read-only)	\??\x:	yfvwacsqaj.exe
File opened (read-only)	\??\h:	sotukimp.exe
File opened (read-only)	\??\m:	sotukimp.exe
File opened (read-only)	\??\h:	sotukimp.exe
File opened (read-only)	\??\p:	sotukimp.exe
File opened (read-only)	\??\y:	sotukimp.exe
File opened (read-only)	\??\g:	yfvwacsqaj.exe
File opened (read-only)	\??\l:	sotukimp.exe
File opened (read-only)	\??\r:	sotukimp.exe
File opened (read-only)	\??\e:	sotukimp.exe
File opened (read-only)	\??\l:	yfvwacsqaj.exe
File opened (read-only)	\??\o:	sotukimp.exe
File opened (read-only)	\??\s:	sotukimp.exe
File opened (read-only)	\??\x:	sotukimp.exe
File opened (read-only)	\??\n:	sotukimp.exe
File opened (read-only)	\??\w:	yfvwacsqaj.exe
File opened (read-only)	\??\g:	sotukimp.exe
File opened (read-only)	\??\m:	yfvwacsqaj.exe
File opened (read-only)	\??\z:	yfvwacsqaj.exe
File opened (read-only)	\??\q:	sotukimp.exe
File opened (read-only)	\??\j:	sotukimp.exe
File opened (read-only)	\??\t:	sotukimp.exe
File opened (read-only)	\??\v:	sotukimp.exe
File opened (read-only)	\??\j:	sotukimp.exe
File opened (read-only)	\??\s:	sotukimp.exe
File opened (read-only)	\??\j:	yfvwacsqaj.exe
File opened (read-only)	\??\k:	sotukimp.exe
File opened (read-only)	\??\n:	sotukimp.exe
File opened (read-only)	\??\u:	sotukimp.exe
File opened (read-only)	\??\o:	sotukimp.exe
File opened (read-only)	\??\x:	sotukimp.exe
File opened (read-only)	\??\p:	yfvwacsqaj.exe
File opened (read-only)	\??\u:	yfvwacsqaj.exe
File opened (read-only)	\??\k:	sotukimp.exe
File opened (read-only)	\??\o:	yfvwacsqaj.exe
File opened (read-only)	\??\r:	yfvwacsqaj.exe
File opened (read-only)	\??\i:	sotukimp.exe
File opened (read-only)	\??\g:	sotukimp.exe
File opened (read-only)	\??\t:	sotukimp.exe
File opened (read-only)	\??\s:	yfvwacsqaj.exe
File opened (read-only)	\??\t:	yfvwacsqaj.exe
File opened (read-only)	\??\v:	yfvwacsqaj.exe
File opened (read-only)	\??\a:	sotukimp.exe
File opened (read-only)	\??\y:	sotukimp.exe
File opened (read-only)	\??\z:	sotukimp.exe
File opened (read-only)	\??\b:	sotukimp.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	yfvwacsqaj.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	yfvwacsqaj.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2944-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000c0000000155f6-5.dat	autoit_exe
behavioral1/files/0x000c000000012352-17.dat	autoit_exe
behavioral1/files/0x0030000000015c6f-31.dat	autoit_exe
behavioral1/files/0x0007000000015cbd-34.dat	autoit_exe
behavioral1/files/0x0006000000016d1f-74.dat	autoit_exe
behavioral1/files/0x0006000000016d36-81.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yfvwacsqaj.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File created	C:\Windows\SysWOW64\fsaqeizjgxtdtho.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File opened for modification	C:\Windows\SysWOW64\fsaqeizjgxtdtho.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File created	C:\Windows\SysWOW64\mgxjkayunodfp.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File opened for modification	C:\Windows\SysWOW64\yfvwacsqaj.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File created	C:\Windows\SysWOW64\sotukimp.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File opened for modification	C:\Windows\SysWOW64\sotukimp.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File opened for modification	C:\Windows\SysWOW64\mgxjkayunodfp.exe	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	yfvwacsqaj.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	sotukimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	sotukimp.exe
File opened for modification	\??\c:\Program Files\DisconnectDisable.doc.exe	sotukimp.exe
File opened for modification	C:\Program Files\DisconnectDisable.doc.exe	sotukimp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	sotukimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	sotukimp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	sotukimp.exe
File opened for modification	\??\c:\Program Files\DisconnectDisable.doc.exe	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	sotukimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	sotukimp.exe
File opened for modification	C:\Program Files\DisconnectDisable.doc.exe	sotukimp.exe
File created	\??\c:\Program Files\DisconnectDisable.doc.exe	sotukimp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	sotukimp.exe
File opened for modification	C:\Program Files\DisconnectDisable.nal	sotukimp.exe
File opened for modification	C:\Program Files\DisconnectDisable.nal	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	sotukimp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	sotukimp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B15A4495389853C5BAA23298D4BF"	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	yfvwacsqaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C7E9D5682586A4676D377252DDF7D8F64AA"	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	yfvwacsqaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yfvwacsqaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACAF9CEF917F29883753B3181EA39E2B08803FC4213033DE2CA42E808A5"	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	yfvwacsqaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2436	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2656	sotukimp.exe
2656	sotukimp.exe
2656	sotukimp.exe
2656	sotukimp.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2792	sotukimp.exe
2792	sotukimp.exe
2792	sotukimp.exe
2792	sotukimp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2544	fsaqeizjgxtdtho.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2656	sotukimp.exe
2656	sotukimp.exe
2656	sotukimp.exe
2792	sotukimp.exe
2792	sotukimp.exe
2792	sotukimp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2152	yfvwacsqaj.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2544	fsaqeizjgxtdtho.exe
2656	sotukimp.exe
2656	sotukimp.exe
2656	sotukimp.exe
2792	sotukimp.exe
2792	sotukimp.exe
2792	sotukimp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe
2444	mgxjkayunodfp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2436	WINWORD.EXE
2436	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2152	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	28
PID 2944 wrote to memory of 2152	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	28
PID 2944 wrote to memory of 2152	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	28
PID 2944 wrote to memory of 2152	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	28
PID 2944 wrote to memory of 2544	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	29
PID 2944 wrote to memory of 2544	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	29
PID 2944 wrote to memory of 2544	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	29
PID 2944 wrote to memory of 2544	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	29
PID 2944 wrote to memory of 2656	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	30
PID 2944 wrote to memory of 2656	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	30
PID 2944 wrote to memory of 2656	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	30
PID 2944 wrote to memory of 2656	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	30
PID 2944 wrote to memory of 2444	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	31
PID 2944 wrote to memory of 2444	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	31
PID 2944 wrote to memory of 2444	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	31
PID 2944 wrote to memory of 2444	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	31
PID 2152 wrote to memory of 2792	2152	yfvwacsqaj.exe	32
PID 2152 wrote to memory of 2792	2152	yfvwacsqaj.exe	32
PID 2152 wrote to memory of 2792	2152	yfvwacsqaj.exe	32
PID 2152 wrote to memory of 2792	2152	yfvwacsqaj.exe	32
PID 2944 wrote to memory of 2436	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	33
PID 2944 wrote to memory of 2436	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	33
PID 2944 wrote to memory of 2436	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	33
PID 2944 wrote to memory of 2436	2944	a0f2b4a2bfb0a5bd3280e599cd144cfa.exe	33
PID 2436 wrote to memory of 2780	2436	WINWORD.EXE	36
PID 2436 wrote to memory of 2780	2436	WINWORD.EXE	36
PID 2436 wrote to memory of 2780	2436	WINWORD.EXE	36
PID 2436 wrote to memory of 2780	2436	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa.exe
"C:\Users\Admin\AppData\Local\Temp\a0f2b4a2bfb0a5bd3280e599cd144cfa.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\yfvwacsqaj.exe
  yfvwacsqaj.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\sotukimp.exe
    C:\Windows\system32\sotukimp.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2792
- C:\Windows\SysWOW64\fsaqeizjgxtdtho.exe
  fsaqeizjgxtdtho.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2544
- C:\Windows\SysWOW64\sotukimp.exe
  sotukimp.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2656
- C:\Windows\SysWOW64\mgxjkayunodfp.exe
  mgxjkayunodfp.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2444
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
cd3d044bf76fd11858aa50892ff79c92

SHA1
9fb972ce8d1a30f105a8a79f95c78462f1eafc6a

SHA256
329b25bacf57044427cf5fd60cced2b781dbbe3593b117a088a7969e6a2766de

SHA512
7077acb501552e3bd9a8b152e213fc9f1a2729371b05163433cbd3f337bb62d84e61023ee7ccb5d1609a3b9ff6c1d3adff3d65acc3d6d0a83093dcfc62f8354a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
56B

MD5
cefe7da42581fd4143e3294a15436007

SHA1
4b41a125a5525d9b1ed587364b58e95370334306

SHA256
b511a6446916546be58762db622d1ad6ab680b9795f078a4ebec0575f1d8abf8

SHA512
b38a27d75c48c0073f403fce8bbcc18cc02facdd23246c4c8f97e9611dc350d1e60894c43a10e0b0ed3f495cdf00fac088bba6fbbaffbc72c26cb85a603f90e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
52d360b4a060f7d99011df914416a14c

SHA1
51957de7f5ad877e83f3b20f41d81d3c03140deb

SHA256
b6a03548d1c4a7c133013c43445d09207191b51c5ae799700b99f2443c4e7151

SHA512
bbd16ee2b18f3a57e4132b3914ba168f802e2aaf65bbdc188aa0ba41082ecff9d25211d1b77b8eba2d80a6a122e43bb4236aa294fecc7c2273687cab1ebbb222

Download Submit
C:\Users\Admin\Documents\ConvertToInvoke.doc.exe

Filesize
512KB

MD5
b93ced3f8f18e881356bdc42404c4f86

SHA1
4918363f2aa3e3d916d6f539177365cf84086c87

SHA256
5cdeb1a7b7d47ee5b05b9eed2273086cee36f599b56d58384c6ce59db31a432e

SHA512
cd0acb6be1db5e9f3b7bbbf3b43fb4504cedcf847047e83c80c17814927068add1efe4ba2ce886447378ddfb21836ca0b8b0586fefba945cb9c49f31c8321065

Download Submit
C:\Windows\SysWOW64\fsaqeizjgxtdtho.exe

Filesize
512KB

MD5
f041fc6a3ba31096c49a9146a6591b24

SHA1
1a2151c5fc60825d38814745749d4c932e1a8559

SHA256
7ea9549fe037599760ca09db92ac93570779409c6b563f5253690a1b71b4031a

SHA512
ef6e7dcb410cbc7cba14de1ed6eeb5e1441fc4ef1707c242c3b888a506c42122606401bc6f9561776f294424a67d47f4109a09628778a5b8824fdae5e39ee683

Download Submit
C:\Windows\SysWOW64\sotukimp.exe

Filesize
512KB

MD5
d8d967da0d2f72921155e8b9bf0b8ea0

SHA1
e5337009b4ceefc49144ebdd77fc698d66e0de65

SHA256
563c2ebf15d9b920a77b50fbb27b151711b33c9b85e1116ab4639edd086e12df

SHA512
e84c5144a71291ceb00b01a5a25116663c1b51a449892179c166ce9db4db67cc1661affd3cb1848efc51253618cea98302ada5fb26ed635a8e59f29588846555

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\mgxjkayunodfp.exe

Filesize
512KB

MD5
8745c250d88ef4712465e590796ba186

SHA1
387326e88df7024cbbbb8dbf1672f17d5efdca0a

SHA256
266c6b0a8f8aedb3a25abd8f4f1bfdd27dfdf29ee3c803c907c17b80547e959d

SHA512
5f7ac742ce2a59acabb011fbe8cb6f83e21a8b288170a2422103aef223e2c7df12b577f7ae8395202775bebe855fac9411174d080f9440a3274bfacdbc940bad

Download Submit
\Windows\SysWOW64\yfvwacsqaj.exe

Filesize
512KB

MD5
201d28b4465c1fd80a829f3e996dffee

SHA1
27f20dd1f7f446784808bf45322fc19574f73d77

SHA256
ff357c3b65e982bc6d181094d3563f926764544b7a213edf04a3f0127379991d

SHA512
1c2a5fe9f0bd69b56789b0a7c9ddcdfae0fec865dd1486e6a1d3bfba2db16050344bd70493b70bcc9b0782161eb93e6a1c1e3f5dfbfe16604b4243040e4aa011

Download Submit
memory/2436-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2436-51-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/2436-49-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

Filesize
4KB

Download
memory/2436-84-0x00000000714DD000-0x00000000714E8000-memory.dmp

Filesize
44KB

Download
memory/2436-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2944-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download