1474f25f1f927dcea56a12f600530547de3fa6a226474b3459425ec4145bb226

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab6b87a8ef210e5c047f565cd76a0a1f.exe
Size

512KB
MD5

ab6b87a8ef210e5c047f565cd76a0a1f
SHA1

a760eecc424853e684a357082d1aca3302f579a7
SHA256

1474f25f1f927dcea56a12f600530547de3fa6a226474b3459425ec4145bb226
SHA512

21899007f1fa298fc7688f51693662c2e3f01dc5d5ce96a3cee4bb3850c4d72c14d2c48f51fb04b4cf7f82828f6afd1d92e362decf0eeabf19abadc3b42f854f
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6C:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dxyvpruyku.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dxyvpruyku.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dxyvpruyku.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dxyvpruyku.exe

Executes dropped EXE 5 IoCs

pid	Process
2552	dxyvpruyku.exe
2676	dvxlkxiuzzubpma.exe
2668	mkwkdtyv.exe
1408	mxpghmawwbkji.exe
2520	mkwkdtyv.exe

Loads dropped DLL 5 IoCs

pid	Process
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
2552	dxyvpruyku.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	dxyvpruyku.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	mkwkdtyv.exe
File opened (read-only)	\??\k:	mkwkdtyv.exe
File opened (read-only)	\??\s:	mkwkdtyv.exe
File opened (read-only)	\??\i:	dxyvpruyku.exe
File opened (read-only)	\??\j:	dxyvpruyku.exe
File opened (read-only)	\??\j:	mkwkdtyv.exe
File opened (read-only)	\??\l:	mkwkdtyv.exe
File opened (read-only)	\??\b:	dxyvpruyku.exe
File opened (read-only)	\??\q:	mkwkdtyv.exe
File opened (read-only)	\??\k:	dxyvpruyku.exe
File opened (read-only)	\??\w:	mkwkdtyv.exe
File opened (read-only)	\??\e:	mkwkdtyv.exe
File opened (read-only)	\??\u:	mkwkdtyv.exe
File opened (read-only)	\??\v:	mkwkdtyv.exe
File opened (read-only)	\??\j:	mkwkdtyv.exe
File opened (read-only)	\??\v:	dxyvpruyku.exe
File opened (read-only)	\??\y:	dxyvpruyku.exe
File opened (read-only)	\??\b:	mkwkdtyv.exe
File opened (read-only)	\??\s:	mkwkdtyv.exe
File opened (read-only)	\??\x:	dxyvpruyku.exe
File opened (read-only)	\??\n:	mkwkdtyv.exe
File opened (read-only)	\??\s:	dxyvpruyku.exe
File opened (read-only)	\??\t:	dxyvpruyku.exe
File opened (read-only)	\??\z:	mkwkdtyv.exe
File opened (read-only)	\??\r:	dxyvpruyku.exe
File opened (read-only)	\??\k:	mkwkdtyv.exe
File opened (read-only)	\??\i:	mkwkdtyv.exe
File opened (read-only)	\??\u:	mkwkdtyv.exe
File opened (read-only)	\??\a:	dxyvpruyku.exe
File opened (read-only)	\??\p:	dxyvpruyku.exe
File opened (read-only)	\??\w:	dxyvpruyku.exe
File opened (read-only)	\??\q:	mkwkdtyv.exe
File opened (read-only)	\??\g:	mkwkdtyv.exe
File opened (read-only)	\??\l:	dxyvpruyku.exe
File opened (read-only)	\??\n:	dxyvpruyku.exe
File opened (read-only)	\??\u:	dxyvpruyku.exe
File opened (read-only)	\??\x:	mkwkdtyv.exe
File opened (read-only)	\??\a:	mkwkdtyv.exe
File opened (read-only)	\??\t:	mkwkdtyv.exe
File opened (read-only)	\??\x:	mkwkdtyv.exe
File opened (read-only)	\??\g:	dxyvpruyku.exe
File opened (read-only)	\??\o:	dxyvpruyku.exe
File opened (read-only)	\??\i:	mkwkdtyv.exe
File opened (read-only)	\??\z:	mkwkdtyv.exe
File opened (read-only)	\??\h:	dxyvpruyku.exe
File opened (read-only)	\??\m:	dxyvpruyku.exe
File opened (read-only)	\??\b:	mkwkdtyv.exe
File opened (read-only)	\??\r:	mkwkdtyv.exe
File opened (read-only)	\??\w:	mkwkdtyv.exe
File opened (read-only)	\??\a:	mkwkdtyv.exe
File opened (read-only)	\??\n:	mkwkdtyv.exe
File opened (read-only)	\??\y:	mkwkdtyv.exe
File opened (read-only)	\??\h:	mkwkdtyv.exe
File opened (read-only)	\??\e:	dxyvpruyku.exe
File opened (read-only)	\??\e:	mkwkdtyv.exe
File opened (read-only)	\??\r:	mkwkdtyv.exe
File opened (read-only)	\??\q:	dxyvpruyku.exe
File opened (read-only)	\??\z:	dxyvpruyku.exe
File opened (read-only)	\??\l:	mkwkdtyv.exe
File opened (read-only)	\??\g:	mkwkdtyv.exe
File opened (read-only)	\??\o:	mkwkdtyv.exe
File opened (read-only)	\??\p:	mkwkdtyv.exe
File opened (read-only)	\??\y:	mkwkdtyv.exe
File opened (read-only)	\??\o:	mkwkdtyv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	dxyvpruyku.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	dxyvpruyku.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1876-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x002a000000016cd1-9.dat	autoit_exe
behavioral1/files/0x000b00000001223a-17.dat	autoit_exe
behavioral1/files/0x000b000000016c84-22.dat	autoit_exe
behavioral1/files/0x0007000000016d33-36.dat	autoit_exe
behavioral1/files/0x0007000000016d33-39.dat	autoit_exe
behavioral1/files/0x002a000000016cd1-40.dat	autoit_exe
behavioral1/files/0x00050000000195a6-68.dat	autoit_exe
behavioral1/files/0x00050000000195e9-74.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dxyvpruyku.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File opened for modification	C:\Windows\SysWOW64\dvxlkxiuzzubpma.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File created	C:\Windows\SysWOW64\mkwkdtyv.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File opened for modification	C:\Windows\SysWOW64\mkwkdtyv.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File created	C:\Windows\SysWOW64\mxpghmawwbkji.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File created	C:\Windows\SysWOW64\dxyvpruyku.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File created	C:\Windows\SysWOW64\dvxlkxiuzzubpma.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File opened for modification	C:\Windows\SysWOW64\mxpghmawwbkji.exe	ab6b87a8ef210e5c047f565cd76a0a1f.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	dxyvpruyku.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mkwkdtyv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	mkwkdtyv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mkwkdtyv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	mkwkdtyv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mkwkdtyv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	mkwkdtyv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	mkwkdtyv.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	ab6b87a8ef210e5c047f565cd76a0a1f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB2FE6F21DBD20ED0D48B0E9016"	ab6b87a8ef210e5c047f565cd76a0a1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	dxyvpruyku.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	dxyvpruyku.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	dxyvpruyku.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	ab6b87a8ef210e5c047f565cd76a0a1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B121449039E953CAB9D6339CD4B9"	ab6b87a8ef210e5c047f565cd76a0a1f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	dxyvpruyku.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2452	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
2552	dxyvpruyku.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
1408	mxpghmawwbkji.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2668	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe
2520	mkwkdtyv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2452	WINWORD.EXE
2452	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2552	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	28
PID 1876 wrote to memory of 2552	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	28
PID 1876 wrote to memory of 2552	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	28
PID 1876 wrote to memory of 2552	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	28
PID 1876 wrote to memory of 2676	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	29
PID 1876 wrote to memory of 2676	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	29
PID 1876 wrote to memory of 2676	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	29
PID 1876 wrote to memory of 2676	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	29
PID 1876 wrote to memory of 2668	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	31
PID 1876 wrote to memory of 2668	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	31
PID 1876 wrote to memory of 2668	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	31
PID 1876 wrote to memory of 2668	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	31
PID 1876 wrote to memory of 1408	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	30
PID 1876 wrote to memory of 1408	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	30
PID 1876 wrote to memory of 1408	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	30
PID 1876 wrote to memory of 1408	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	30
PID 2552 wrote to memory of 2520	2552	dxyvpruyku.exe	32
PID 2552 wrote to memory of 2520	2552	dxyvpruyku.exe	32
PID 2552 wrote to memory of 2520	2552	dxyvpruyku.exe	32
PID 2552 wrote to memory of 2520	2552	dxyvpruyku.exe	32
PID 1876 wrote to memory of 2452	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	33
PID 1876 wrote to memory of 2452	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	33
PID 1876 wrote to memory of 2452	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	33
PID 1876 wrote to memory of 2452	1876	ab6b87a8ef210e5c047f565cd76a0a1f.exe	33
PID 2452 wrote to memory of 2740	2452	WINWORD.EXE	37
PID 2452 wrote to memory of 2740	2452	WINWORD.EXE	37
PID 2452 wrote to memory of 2740	2452	WINWORD.EXE	37
PID 2452 wrote to memory of 2740	2452	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\ab6b87a8ef210e5c047f565cd76a0a1f.exe
"C:\Users\Admin\AppData\Local\Temp\ab6b87a8ef210e5c047f565cd76a0a1f.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\dxyvpruyku.exe
  dxyvpruyku.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\mkwkdtyv.exe
    C:\Windows\system32\mkwkdtyv.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2520
- C:\Windows\SysWOW64\dvxlkxiuzzubpma.exe
  dvxlkxiuzzubpma.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\SysWOW64\mxpghmawwbkji.exe
  mxpghmawwbkji.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1408
- C:\Windows\SysWOW64\mkwkdtyv.exe
  mkwkdtyv.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
8d34da885602de63edf2d58607d1f920

SHA1
7a765395ed168b9689362ae98ec5a26e2208905e

SHA256
e3fbeebbdb9f8226393010e8f9b6f7ff01e2197d17f610fb08a6c5b6fa14c182

SHA512
a6e255861db6150bc4ec6898be01e84597614bc1a3aabb518e48fdf959ba8bec2c871c3f45be9e60b9daeab5f037e18a0c0089c3c0e84c7ee0b7040ec5d6cc5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
d88d0a8cfaacb872d76d645b6ce78036

SHA1
fdd95fd9cd16d935129baf715f23a8b2cd7f158e

SHA256
b7d93767ad58d07ee1d1d4a289ffb298ec67ed7e412c8cea00b3321c783f2302

SHA512
f265701a9d7079ee58dd98c0a611d2d4035d40d310f9ac8e98c00a9a36ccb582a31a533278ca59b0570a3b4ff2f09c48a80a4ea63786ca3096ba7eb1a5b9fca9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
b628f0823304a883e9461920444113cc

SHA1
fa27cf04f726e5dc74e86c955295ec7e45a3dfcd

SHA256
0f4b6c3c55a188b1ab9c3e521c7968d0fb03419427619f2ddd8573aa2d52cc0a

SHA512
d0b8097c73820582adff0a65aee7aae82ec2d0320dcd45f49b1a3cd84a2e53bf45c9144d251cd2ef8d8b640ad079ef9dcce8d2f9d9ba971f6e208f7d24806804

Download Submit
C:\Windows\SysWOW64\mkwkdtyv.exe

Filesize
512KB

MD5
69acfe996ed91c9fcc690b8f56b8bbc1

SHA1
4f0b3051ac7d40239619c89699b5ee2fb8e0492f

SHA256
1911b94d3231e0971463e660316d7089f18955993848f12279fd51c1fc600a8c

SHA512
4b7f4fc9ea70ebc571084d4d05bc912ee58192a5e4ceecc78d52ec436d1a4713c327fa8fc0ea29dcb0224efa5cf2b0546ef7a6f4d132c0cc77bb1918ddab2154

Download Submit
C:\Windows\SysWOW64\mxpghmawwbkji.exe

Filesize
512KB

MD5
c8dedb709771dc8ec8dc5684eb0f2ac3

SHA1
593f8a666fa1e133a98c7e0a8b1902cc682e761f

SHA256
66e3bc2e4f1900a13a5f53def782cdf1d5c361d528aa4cc7f3306015ab7f982f

SHA512
b599ec7eeb948fa595d6845d4162a0c07170925a3e8a8ab90f042e4686de52914af2447125aab177de9da251a1cf0b05e520a82f4fdebf44d24bd452ffd111fc

Download Submit
C:\Windows\SysWOW64\mxpghmawwbkji.exe

Filesize
64KB

MD5
d76d22b81130bc9206c7c947d7a9ea5e

SHA1
5956e88a6ec7949ce5a350e21703307d855f34b1

SHA256
b96acd28ea28c51de470bf63ebbc33a346440fe63e236ab9f092e0cb3035b870

SHA512
112f4f23127929556f27e12a7979ebd1536af790c92f8ff7870a5b39470bd02d83fbf1697e7ab3eccebd71c44ae7bfbd1dac9c39fefa6e15a488baf840b8aaf1

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\dvxlkxiuzzubpma.exe

Filesize
512KB

MD5
3cbe515f913054a1e3b185b700988f8c

SHA1
2fd33949b86118c3092d281319c715dfe58c5e7f

SHA256
1fb4f6497146eb3904ffade8ce472a8a44b14b97297fe32df62942b8e4a37f8c

SHA512
ef6cef72a30a200e820083c046372ad632d9f5eb1e9fdbba245e4012232c3d48611cf6b1e82b3eae41518829a347e2e07d46143aae53ea7d3bc71a8809cd0230

Download Submit
\Windows\SysWOW64\dxyvpruyku.exe

Filesize
512KB

MD5
92cfc12a41ce7b70ebda9cb5bd08a7cf

SHA1
e57eaf315860c605eb59fb44a6933ed2f83569cd

SHA256
676e4d8d23177a73791975bc23cafffb719f856546a6a3ce08bbc61e9f0eb0d2

SHA512
50ca3aa860ff5cc1fd05dd59c73293133ccbcbc1df58fdd9ba914992ecd87db01e0a6e981ec1f98102e197d76409e1f860c80486c2074640496da6e4535c77f4

Download Submit
memory/1876-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2452-44-0x000000002FB71000-0x000000002FB72000-memory.dmp

Filesize
4KB

Download
memory/2452-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2452-46-0x000000007158D000-0x0000000071598000-memory.dmp

Filesize
44KB

Download
memory/2452-81-0x000000007158D000-0x0000000071598000-memory.dmp

Filesize
44KB

Download
memory/2452-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download