a4c105ca89c85e54a7b0dfa1b30a7458801fe542a083a1956494eefcf107b9c2

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 20:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6bc872d7343ffeec96b71352192a5f4.exe
Size

512KB
MD5

c6bc872d7343ffeec96b71352192a5f4
SHA1

593040758bec6126a76b78ad661dcadf3ade869f
SHA256

a4c105ca89c85e54a7b0dfa1b30a7458801fe542a083a1956494eefcf107b9c2
SHA512

af68c0b8f537daefe1500a6f9c15c605461e1912bb447d226251fd5612dcb197b4367a859e814243bb184de36f1a86b327e38142a1df31cfac515690cb8d8293
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6v:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5E

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	yljkgisdry.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	yljkgisdry.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yljkgisdry.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yljkgisdry.exe

Executes dropped EXE 5 IoCs

pid	Process
2372	yljkgisdry.exe
1116	akxnywnjzsxsvtv.exe
1288	pyqalfjp.exe
1968	xtxrsytvmmjpj.exe
2008	pyqalfjp.exe

Loads dropped DLL 5 IoCs

pid	Process
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2372	yljkgisdry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	yljkgisdry.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdeabvtq = "yljkgisdry.exe"	akxnywnjzsxsvtv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cjoqnaqi = "akxnywnjzsxsvtv.exe"	akxnywnjzsxsvtv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xtxrsytvmmjpj.exe"	akxnywnjzsxsvtv.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	pyqalfjp.exe
File opened (read-only)	\??\a:	pyqalfjp.exe
File opened (read-only)	\??\o:	pyqalfjp.exe
File opened (read-only)	\??\l:	yljkgisdry.exe
File opened (read-only)	\??\n:	yljkgisdry.exe
File opened (read-only)	\??\h:	pyqalfjp.exe
File opened (read-only)	\??\o:	pyqalfjp.exe
File opened (read-only)	\??\z:	pyqalfjp.exe
File opened (read-only)	\??\b:	pyqalfjp.exe
File opened (read-only)	\??\r:	yljkgisdry.exe
File opened (read-only)	\??\t:	yljkgisdry.exe
File opened (read-only)	\??\x:	yljkgisdry.exe
File opened (read-only)	\??\n:	pyqalfjp.exe
File opened (read-only)	\??\p:	pyqalfjp.exe
File opened (read-only)	\??\y:	pyqalfjp.exe
File opened (read-only)	\??\q:	pyqalfjp.exe
File opened (read-only)	\??\u:	pyqalfjp.exe
File opened (read-only)	\??\u:	yljkgisdry.exe
File opened (read-only)	\??\w:	yljkgisdry.exe
File opened (read-only)	\??\z:	yljkgisdry.exe
File opened (read-only)	\??\b:	pyqalfjp.exe
File opened (read-only)	\??\g:	pyqalfjp.exe
File opened (read-only)	\??\a:	pyqalfjp.exe
File opened (read-only)	\??\e:	pyqalfjp.exe
File opened (read-only)	\??\l:	pyqalfjp.exe
File opened (read-only)	\??\r:	pyqalfjp.exe
File opened (read-only)	\??\s:	pyqalfjp.exe
File opened (read-only)	\??\l:	pyqalfjp.exe
File opened (read-only)	\??\x:	pyqalfjp.exe
File opened (read-only)	\??\i:	yljkgisdry.exe
File opened (read-only)	\??\s:	yljkgisdry.exe
File opened (read-only)	\??\g:	pyqalfjp.exe
File opened (read-only)	\??\i:	pyqalfjp.exe
File opened (read-only)	\??\u:	pyqalfjp.exe
File opened (read-only)	\??\y:	pyqalfjp.exe
File opened (read-only)	\??\b:	yljkgisdry.exe
File opened (read-only)	\??\a:	yljkgisdry.exe
File opened (read-only)	\??\h:	yljkgisdry.exe
File opened (read-only)	\??\k:	pyqalfjp.exe
File opened (read-only)	\??\m:	pyqalfjp.exe
File opened (read-only)	\??\j:	pyqalfjp.exe
File opened (read-only)	\??\p:	yljkgisdry.exe
File opened (read-only)	\??\e:	yljkgisdry.exe
File opened (read-only)	\??\q:	yljkgisdry.exe
File opened (read-only)	\??\e:	pyqalfjp.exe
File opened (read-only)	\??\i:	pyqalfjp.exe
File opened (read-only)	\??\s:	pyqalfjp.exe
File opened (read-only)	\??\v:	pyqalfjp.exe
File opened (read-only)	\??\v:	yljkgisdry.exe
File opened (read-only)	\??\h:	pyqalfjp.exe
File opened (read-only)	\??\k:	yljkgisdry.exe
File opened (read-only)	\??\y:	yljkgisdry.exe
File opened (read-only)	\??\m:	pyqalfjp.exe
File opened (read-only)	\??\z:	pyqalfjp.exe
File opened (read-only)	\??\g:	yljkgisdry.exe
File opened (read-only)	\??\t:	pyqalfjp.exe
File opened (read-only)	\??\n:	pyqalfjp.exe
File opened (read-only)	\??\o:	yljkgisdry.exe
File opened (read-only)	\??\j:	pyqalfjp.exe
File opened (read-only)	\??\w:	pyqalfjp.exe
File opened (read-only)	\??\w:	pyqalfjp.exe
File opened (read-only)	\??\m:	yljkgisdry.exe
File opened (read-only)	\??\q:	pyqalfjp.exe
File opened (read-only)	\??\v:	pyqalfjp.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	yljkgisdry.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	yljkgisdry.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000016d24-5.dat	autoit_exe
behavioral1/files/0x000900000001224c-17.dat	autoit_exe
behavioral1/files/0x0007000000016d84-27.dat	autoit_exe
behavioral1/files/0x00020000000180e5-33.dat	autoit_exe
behavioral1/files/0x0002000000003d25-55.dat	autoit_exe
behavioral1/files/0x0005000000019333-72.dat	autoit_exe
behavioral1/files/0x0005000000019368-76.dat	autoit_exe
behavioral1/files/0x0005000000019377-82.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\yljkgisdry.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File opened for modification	C:\Windows\SysWOW64\akxnywnjzsxsvtv.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File created	C:\Windows\SysWOW64\pyqalfjp.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File opened for modification	C:\Windows\SysWOW64\pyqalfjp.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File opened for modification	C:\Windows\SysWOW64\xtxrsytvmmjpj.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File created	C:\Windows\SysWOW64\yljkgisdry.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File created	C:\Windows\SysWOW64\xtxrsytvmmjpj.exe	c6bc872d7343ffeec96b71352192a5f4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	yljkgisdry.exe
File created	C:\Windows\SysWOW64\akxnywnjzsxsvtv.exe	c6bc872d7343ffeec96b71352192a5f4.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	\??\c:\Program Files\ExitSync.doc.exe	pyqalfjp.exe
File opened for modification	\??\c:\Program Files\ExitSync.doc.exe	pyqalfjp.exe
File opened for modification	\??\c:\Program Files\ExitSync.doc.exe	pyqalfjp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	pyqalfjp.exe
File opened for modification	C:\Program Files\ExitSync.doc.exe	pyqalfjp.exe
File opened for modification	C:\Program Files\ExitSync.doc.exe	pyqalfjp.exe
File opened for modification	C:\Program Files\ExitSync.nal	pyqalfjp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	pyqalfjp.exe
File opened for modification	C:\Program Files\ExitSync.nal	pyqalfjp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	pyqalfjp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pyqalfjp.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pyqalfjp.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	pyqalfjp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	pyqalfjp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	c6bc872d7343ffeec96b71352192a5f4.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	yljkgisdry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB05844EF39E353B9BAD4329FD4BF"	c6bc872d7343ffeec96b71352192a5f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	yljkgisdry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	yljkgisdry.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	yljkgisdry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB4FABFFE65F19784793A4686EE39E2B3FC038C4260023AE2C8459D09D3"	c6bc872d7343ffeec96b71352192a5f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	yljkgisdry.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C0F9C2383546A4476A077252CDA7CF565AB"	c6bc872d7343ffeec96b71352192a5f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
676	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
1116	akxnywnjzsxsvtv.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1116	akxnywnjzsxsvtv.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
2236	c6bc872d7343ffeec96b71352192a5f4.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
1116	akxnywnjzsxsvtv.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
2372	yljkgisdry.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1968	xtxrsytvmmjpj.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
1288	pyqalfjp.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe
2008	pyqalfjp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
676	WINWORD.EXE
676	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2372	2236	c6bc872d7343ffeec96b71352192a5f4.exe	30
PID 2236 wrote to memory of 2372	2236	c6bc872d7343ffeec96b71352192a5f4.exe	30
PID 2236 wrote to memory of 2372	2236	c6bc872d7343ffeec96b71352192a5f4.exe	30
PID 2236 wrote to memory of 2372	2236	c6bc872d7343ffeec96b71352192a5f4.exe	30
PID 2236 wrote to memory of 1116	2236	c6bc872d7343ffeec96b71352192a5f4.exe	31
PID 2236 wrote to memory of 1116	2236	c6bc872d7343ffeec96b71352192a5f4.exe	31
PID 2236 wrote to memory of 1116	2236	c6bc872d7343ffeec96b71352192a5f4.exe	31
PID 2236 wrote to memory of 1116	2236	c6bc872d7343ffeec96b71352192a5f4.exe	31
PID 2236 wrote to memory of 1288	2236	c6bc872d7343ffeec96b71352192a5f4.exe	32
PID 2236 wrote to memory of 1288	2236	c6bc872d7343ffeec96b71352192a5f4.exe	32
PID 2236 wrote to memory of 1288	2236	c6bc872d7343ffeec96b71352192a5f4.exe	32
PID 2236 wrote to memory of 1288	2236	c6bc872d7343ffeec96b71352192a5f4.exe	32
PID 2236 wrote to memory of 1968	2236	c6bc872d7343ffeec96b71352192a5f4.exe	33
PID 2236 wrote to memory of 1968	2236	c6bc872d7343ffeec96b71352192a5f4.exe	33
PID 2236 wrote to memory of 1968	2236	c6bc872d7343ffeec96b71352192a5f4.exe	33
PID 2236 wrote to memory of 1968	2236	c6bc872d7343ffeec96b71352192a5f4.exe	33
PID 2372 wrote to memory of 2008	2372	yljkgisdry.exe	34
PID 2372 wrote to memory of 2008	2372	yljkgisdry.exe	34
PID 2372 wrote to memory of 2008	2372	yljkgisdry.exe	34
PID 2372 wrote to memory of 2008	2372	yljkgisdry.exe	34
PID 2236 wrote to memory of 676	2236	c6bc872d7343ffeec96b71352192a5f4.exe	35
PID 2236 wrote to memory of 676	2236	c6bc872d7343ffeec96b71352192a5f4.exe	35
PID 2236 wrote to memory of 676	2236	c6bc872d7343ffeec96b71352192a5f4.exe	35
PID 2236 wrote to memory of 676	2236	c6bc872d7343ffeec96b71352192a5f4.exe	35
PID 676 wrote to memory of 2832	676	WINWORD.EXE	38
PID 676 wrote to memory of 2832	676	WINWORD.EXE	38
PID 676 wrote to memory of 2832	676	WINWORD.EXE	38
PID 676 wrote to memory of 2832	676	WINWORD.EXE	38

C:\Users\Admin\AppData\Local\Temp\c6bc872d7343ffeec96b71352192a5f4.exe
"C:\Users\Admin\AppData\Local\Temp\c6bc872d7343ffeec96b71352192a5f4.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\yljkgisdry.exe
  yljkgisdry.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\pyqalfjp.exe
    C:\Windows\system32\pyqalfjp.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2008
- C:\Windows\SysWOW64\akxnywnjzsxsvtv.exe
  akxnywnjzsxsvtv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1116
- C:\Windows\SysWOW64\pyqalfjp.exe
  pyqalfjp.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1288
- C:\Windows\SysWOW64\xtxrsytvmmjpj.exe
  xtxrsytvmmjpj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1968
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
16e3fd4a145326585a295c5c7c2eca35

SHA1
0aa5d656f61a4e35f371e818b325da179a0e6a18

SHA256
508ab36220eafea828f352d5ed6ace7e2391f6baf14503ef9c4af6447614ee2a

SHA512
3526baa0dc25366aa87fc5952756758050f86e29ad0fdb291a3a2abcbf7e186648bb7a560d636f765447744f376aa5f5c4c9d276d6cdb821742a95f6d9485a5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
b23936f675a6f110b1a6e7e62a21d763

SHA1
deb8cbfe030ff4cb542c5458f81b9511a1251a98

SHA256
371fed11cb37a11fab1d1bea38f4cff995a82c0638c9b5746a64a920e01abd06

SHA512
0ec1ff9667f2eee4b7255a8d78f0cf30f726fb29cdf1d964de28fe07818e857fbfb2710701e3ffff9f87cec260cd702f622c91376fe38b2387f4d579dba50c89

Download Submit
C:\Program Files\ExitSync.doc.exe

Filesize
493KB

MD5
4aa564a9ee70efdd817cede42806163b

SHA1
c75ffcfe10532f814a2e9c050c989f28ba1dcba0

SHA256
b8a60f58c6a29d7d3251fbac8351d7b520af87bea591c39db727fccf561510c7

SHA512
44b66ab8b09d1d3fa27f8d67fb14fabe0942eb2539d94fd5a68f2c708343712afc8dda56e5720f3fea15fa3a039b8a4a315386d89d39fb695e4d5469847a3330

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
2c87fc8c26a8047ecaa984a9593d832f

SHA1
03d84c61eac50fc41a53dbc121fb97e9c11f59c7

SHA256
7c5f39904c70d74ffaea621966da5f792891bd11cf37a81e3acb615c8de2fce7

SHA512
f5bbf4c138ba7a0b3ef50f9b8934053e66a880cd63a790b592b18fee8d5f6f1c6736ef1ebd626099daddaf1ad7612c7c22684b01a2758cf334f2ef0b0791bba1

Download Submit
C:\Users\Admin\Downloads\SelectSkip.doc.exe

Filesize
512KB

MD5
cac3564fae2097bdd13167d01f0cb73d

SHA1
8789d3e05041a9f0eadda77af8149890bcfdcc59

SHA256
3546572b0197da37d78b8b1146ae2bda1d2d75975c7b95b26d73f115f5f4ae3b

SHA512
fd79ccd470ea501e5a5091dfff299e9a0397827d82a0fe7c359c41c7c47b4466d7802932a6a9bd8d92c0da8d319f1c6efc9f32b9b177f13ec1dc099fa27886e5

Download Submit
C:\Windows\SysWOW64\akxnywnjzsxsvtv.exe

Filesize
512KB

MD5
5a73d400cd29ec4e648b674b085c22a8

SHA1
a4a805e1b0194d81a00c0cd91952c2e6627911bc

SHA256
c9da3d52fd534ac8c3211fa97c9a85f4fa003853770ea199d2eb4a6472a14e38

SHA512
edd2401488fd9b68cecff77b3443b9224d962e37328b9bbf33157884619da9e68b8bd973ee0d9694ebb4eb7e8b71c5997b2438ee80327b217a38103b47271c7a

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\pyqalfjp.exe

Filesize
512KB

MD5
7fd938d4c105dd6e13dc5cbdda4ddedd

SHA1
5cc059a64892d90aadaa06930d074fe3e5b4416d

SHA256
bf481288d8f6ae2d34f355ac4dc2b8c463f4d7c224e7c98af4b2b39cc648f45b

SHA512
47be32f0736fa1b552107edb95f77c2dc001bb9d075f42323010bbf211d70ec6fa7a9a78664bbd5a5bdddd92b3fefa3cb904add3e1b3a7f34043c3695c153ac9

Download Submit
\Windows\SysWOW64\xtxrsytvmmjpj.exe

Filesize
512KB

MD5
f6af29dc085862e8614847e4c56ec8f0

SHA1
79298a90f3db95b48eb0676fa4e28329b465708a

SHA256
f797dbbc96ef360518dc4ec4eabf6173599b328380913cc2ef508bc05a3d6d2c

SHA512
75970c025481e8d86e337fd8198472a6339c2de8f8f603f5cc07b209d2e11731a52cce989671b87c95ba988f9a2f09909641ddc90333426ae9c4c8529b5bc30c

Download Submit
\Windows\SysWOW64\yljkgisdry.exe

Filesize
512KB

MD5
5e9ba4f02982ac5b335c3bf303f95c12

SHA1
f6580e282309e8898244eea1db819f64fcf35be9

SHA256
3b5df8bf3a048918934e52afd639c91b1d47e77a447fb7fa5e771ddd689329d2

SHA512
88abfb80126da395ffd488d21b1b0f5f1d19c09c55c407d53f998c18399db44aeeb612f7f989b59c07dc54d3516834dc41d4d67f61b8e96f50b0e317b14e3a0a

Download Submit
memory/676-47-0x0000000071B2D000-0x0000000071B38000-memory.dmp

Filesize
44KB

Download
memory/676-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/676-45-0x000000002F411000-0x000000002F412000-memory.dmp

Filesize
4KB

Download
memory/676-84-0x0000000071B2D000-0x0000000071B38000-memory.dmp

Filesize
44KB

Download
memory/676-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download