5fdb3e83c09313e2efcdfa3ec9bebc48771265cde89166762d43e39920693006

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3deeadea21d7f248ab40ea62c5226e25.exe
Size

512KB
MD5

3deeadea21d7f248ab40ea62c5226e25
SHA1

1a1bce75dac6b89be6396660f6f8d293805cbadf
SHA256

5fdb3e83c09313e2efcdfa3ec9bebc48771265cde89166762d43e39920693006
SHA512

d2012e4b5c8658e11b29aad2756211b15c0aa340293b0e627f63fc8b41cc30913810171cb9f9559696ffcd6f20d28e481eefefafb674ab67287ee892f16fa09f
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6X:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5O

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ngwjhwxmti.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ngwjhwxmti.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ngwjhwxmti.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ngwjhwxmti.exe

Executes dropped EXE 5 IoCs

pid	Process
1096	ngwjhwxmti.exe
2284	ujyfdjyfbacesyk.exe
1812	judtnyfu.exe
2224	jbflqwcsnhvdl.exe
2756	judtnyfu.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
1096	ngwjhwxmti.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ngwjhwxmti.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gijtytht = "ngwjhwxmti.exe"	ujyfdjyfbacesyk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rbxsowwz = "ujyfdjyfbacesyk.exe"	ujyfdjyfbacesyk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jbflqwcsnhvdl.exe"	ujyfdjyfbacesyk.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	judtnyfu.exe
File opened (read-only)	\??\o:	judtnyfu.exe
File opened (read-only)	\??\s:	judtnyfu.exe
File opened (read-only)	\??\w:	judtnyfu.exe
File opened (read-only)	\??\m:	ngwjhwxmti.exe
File opened (read-only)	\??\k:	judtnyfu.exe
File opened (read-only)	\??\o:	judtnyfu.exe
File opened (read-only)	\??\e:	judtnyfu.exe
File opened (read-only)	\??\i:	judtnyfu.exe
File opened (read-only)	\??\q:	judtnyfu.exe
File opened (read-only)	\??\r:	judtnyfu.exe
File opened (read-only)	\??\x:	judtnyfu.exe
File opened (read-only)	\??\y:	ngwjhwxmti.exe
File opened (read-only)	\??\w:	judtnyfu.exe
File opened (read-only)	\??\b:	judtnyfu.exe
File opened (read-only)	\??\h:	judtnyfu.exe
File opened (read-only)	\??\v:	judtnyfu.exe
File opened (read-only)	\??\b:	ngwjhwxmti.exe
File opened (read-only)	\??\z:	ngwjhwxmti.exe
File opened (read-only)	\??\v:	ngwjhwxmti.exe
File opened (read-only)	\??\b:	judtnyfu.exe
File opened (read-only)	\??\n:	judtnyfu.exe
File opened (read-only)	\??\a:	judtnyfu.exe
File opened (read-only)	\??\w:	ngwjhwxmti.exe
File opened (read-only)	\??\i:	judtnyfu.exe
File opened (read-only)	\??\s:	judtnyfu.exe
File opened (read-only)	\??\g:	judtnyfu.exe
File opened (read-only)	\??\m:	judtnyfu.exe
File opened (read-only)	\??\e:	ngwjhwxmti.exe
File opened (read-only)	\??\s:	ngwjhwxmti.exe
File opened (read-only)	\??\p:	judtnyfu.exe
File opened (read-only)	\??\l:	judtnyfu.exe
File opened (read-only)	\??\p:	ngwjhwxmti.exe
File opened (read-only)	\??\h:	ngwjhwxmti.exe
File opened (read-only)	\??\k:	ngwjhwxmti.exe
File opened (read-only)	\??\l:	ngwjhwxmti.exe
File opened (read-only)	\??\q:	ngwjhwxmti.exe
File opened (read-only)	\??\t:	ngwjhwxmti.exe
File opened (read-only)	\??\x:	ngwjhwxmti.exe
File opened (read-only)	\??\v:	judtnyfu.exe
File opened (read-only)	\??\x:	judtnyfu.exe
File opened (read-only)	\??\t:	judtnyfu.exe
File opened (read-only)	\??\y:	judtnyfu.exe
File opened (read-only)	\??\u:	ngwjhwxmti.exe
File opened (read-only)	\??\j:	judtnyfu.exe
File opened (read-only)	\??\y:	judtnyfu.exe
File opened (read-only)	\??\k:	judtnyfu.exe
File opened (read-only)	\??\z:	judtnyfu.exe
File opened (read-only)	\??\j:	judtnyfu.exe
File opened (read-only)	\??\q:	judtnyfu.exe
File opened (read-only)	\??\p:	judtnyfu.exe
File opened (read-only)	\??\n:	ngwjhwxmti.exe
File opened (read-only)	\??\t:	judtnyfu.exe
File opened (read-only)	\??\u:	judtnyfu.exe
File opened (read-only)	\??\z:	judtnyfu.exe
File opened (read-only)	\??\g:	ngwjhwxmti.exe
File opened (read-only)	\??\j:	ngwjhwxmti.exe
File opened (read-only)	\??\r:	ngwjhwxmti.exe
File opened (read-only)	\??\g:	judtnyfu.exe
File opened (read-only)	\??\r:	judtnyfu.exe
File opened (read-only)	\??\a:	ngwjhwxmti.exe
File opened (read-only)	\??\i:	ngwjhwxmti.exe
File opened (read-only)	\??\a:	judtnyfu.exe
File opened (read-only)	\??\m:	judtnyfu.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	ngwjhwxmti.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	ngwjhwxmti.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000a0000000133a9-25.dat	autoit_exe
behavioral1/files/0x000a0000000126af-38.dat	autoit_exe
behavioral1/files/0x000800000001393e-36.dat	autoit_exe
behavioral1/files/0x000a000000012704-41.dat	autoit_exe
behavioral1/files/0x000a0000000133a9-43.dat	autoit_exe
behavioral1/files/0x0006000000014682-80.dat	autoit_exe
behavioral1/files/0x0006000000014602-74.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ujyfdjyfbacesyk.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File created	C:\Windows\SysWOW64\judtnyfu.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File opened for modification	C:\Windows\SysWOW64\jbflqwcsnhvdl.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File opened for modification	C:\Windows\SysWOW64\ngwjhwxmti.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File created	C:\Windows\SysWOW64\ujyfdjyfbacesyk.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File opened for modification	C:\Windows\SysWOW64\judtnyfu.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File created	C:\Windows\SysWOW64\jbflqwcsnhvdl.exe	3deeadea21d7f248ab40ea62c5226e25.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	ngwjhwxmti.exe
File created	C:\Windows\SysWOW64\ngwjhwxmti.exe	3deeadea21d7f248ab40ea62c5226e25.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	judtnyfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	judtnyfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	judtnyfu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	judtnyfu.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	judtnyfu.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	judtnyfu.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	judtnyfu.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	3deeadea21d7f248ab40ea62c5226e25.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	ngwjhwxmti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	ngwjhwxmti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	ngwjhwxmti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	ngwjhwxmti.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFBFFFC4826851D9040D6207D96BCEEE13C593066416343D798"	3deeadea21d7f248ab40ea62c5226e25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C6081493DBC3B8CB7FE3ECE037BC"	3deeadea21d7f248ab40ea62c5226e25.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	3deeadea21d7f248ab40ea62c5226e25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	ngwjhwxmti.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2840	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2756	judtnyfu.exe
2756	judtnyfu.exe
2756	judtnyfu.exe
2756	judtnyfu.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2756	judtnyfu.exe
2756	judtnyfu.exe
2756	judtnyfu.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
2932	3deeadea21d7f248ab40ea62c5226e25.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1812	judtnyfu.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
1096	ngwjhwxmti.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2224	jbflqwcsnhvdl.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2284	ujyfdjyfbacesyk.exe
2756	judtnyfu.exe
2756	judtnyfu.exe
2756	judtnyfu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	WINWORD.EXE
2840	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 1096	2932	3deeadea21d7f248ab40ea62c5226e25.exe	35
PID 2932 wrote to memory of 1096	2932	3deeadea21d7f248ab40ea62c5226e25.exe	35
PID 2932 wrote to memory of 1096	2932	3deeadea21d7f248ab40ea62c5226e25.exe	35
PID 2932 wrote to memory of 1096	2932	3deeadea21d7f248ab40ea62c5226e25.exe	35
PID 2932 wrote to memory of 2284	2932	3deeadea21d7f248ab40ea62c5226e25.exe	33
PID 2932 wrote to memory of 2284	2932	3deeadea21d7f248ab40ea62c5226e25.exe	33
PID 2932 wrote to memory of 2284	2932	3deeadea21d7f248ab40ea62c5226e25.exe	33
PID 2932 wrote to memory of 2284	2932	3deeadea21d7f248ab40ea62c5226e25.exe	33
PID 2932 wrote to memory of 1812	2932	3deeadea21d7f248ab40ea62c5226e25.exe	31
PID 2932 wrote to memory of 1812	2932	3deeadea21d7f248ab40ea62c5226e25.exe	31
PID 2932 wrote to memory of 1812	2932	3deeadea21d7f248ab40ea62c5226e25.exe	31
PID 2932 wrote to memory of 1812	2932	3deeadea21d7f248ab40ea62c5226e25.exe	31
PID 2932 wrote to memory of 2224	2932	3deeadea21d7f248ab40ea62c5226e25.exe	28
PID 2932 wrote to memory of 2224	2932	3deeadea21d7f248ab40ea62c5226e25.exe	28
PID 2932 wrote to memory of 2224	2932	3deeadea21d7f248ab40ea62c5226e25.exe	28
PID 2932 wrote to memory of 2224	2932	3deeadea21d7f248ab40ea62c5226e25.exe	28
PID 1096 wrote to memory of 2756	1096	ngwjhwxmti.exe	30
PID 1096 wrote to memory of 2756	1096	ngwjhwxmti.exe	30
PID 1096 wrote to memory of 2756	1096	ngwjhwxmti.exe	30
PID 1096 wrote to memory of 2756	1096	ngwjhwxmti.exe	30
PID 2932 wrote to memory of 2840	2932	3deeadea21d7f248ab40ea62c5226e25.exe	29
PID 2932 wrote to memory of 2840	2932	3deeadea21d7f248ab40ea62c5226e25.exe	29
PID 2932 wrote to memory of 2840	2932	3deeadea21d7f248ab40ea62c5226e25.exe	29
PID 2932 wrote to memory of 2840	2932	3deeadea21d7f248ab40ea62c5226e25.exe	29
PID 2840 wrote to memory of 344	2840	WINWORD.EXE	36
PID 2840 wrote to memory of 344	2840	WINWORD.EXE	36
PID 2840 wrote to memory of 344	2840	WINWORD.EXE	36
PID 2840 wrote to memory of 344	2840	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\3deeadea21d7f248ab40ea62c5226e25.exe
"C:\Users\Admin\AppData\Local\Temp\3deeadea21d7f248ab40ea62c5226e25.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\jbflqwcsnhvdl.exe
  jbflqwcsnhvdl.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2224
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:344
- C:\Windows\SysWOW64\judtnyfu.exe
  judtnyfu.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1812
- C:\Windows\SysWOW64\ujyfdjyfbacesyk.exe
  ujyfdjyfbacesyk.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2284
- C:\Windows\SysWOW64\ngwjhwxmti.exe
  ngwjhwxmti.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1096

C:\Windows\SysWOW64\judtnyfu.exe
C:\Windows\system32\judtnyfu.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
3386ff2d566e14bc2a2e0a8966d4ede6

SHA1
7fc6572dcd77d061292cbf512126d794e1a24606

SHA256
0a6e47b3f541638f64775ae94f6e964f450a103867c6c2ebb665e7b103d0d238

SHA512
1782a01e2e2cf907dbb9b113b5eab0334dd641d6a3c84d07b36477e884bdf07338a3f53bd3ee9d8f2a97e2a8763836fa4d127cf5f0f419a094f47962076bdc6a

Download Submit
C:\Users\Admin\Documents\InvokeUndo.doc.exe

Filesize
512KB

MD5
2cf0f96f0bd935501009eee5dcf0f7c7

SHA1
4054a80749c91badee51ee581e830d86e83c2cdd

SHA256
127f6639b07ec1b87bcebf0e7d518215d18d8ae616408415b86175380560d618

SHA512
bbc4444c13995a5d4ec2e4d6fd9909c49b1143676d9ee827f8afb73ed77f03b9efc33adb10d85775614d967bcc6e55f1d4008983d494a84456f01c5bd05a1b04

Download Submit
C:\Users\Admin\Downloads\BlockReset.doc.exe

Filesize
512KB

MD5
a158272435d7b90d768fd8f1e21f0944

SHA1
6258a4b91c628c5019ffb5942e8ad277fa09045a

SHA256
efe01d3ea395844ea08886070526dfa6157d1c9e01f4b0464662798f872d04ca

SHA512
3aa8d411391a758f047a50b9d3a5b4ddd0f6334c7133d6f9133713e4b70969d7596c83dae1c2a862c21af972b5fa7b778bd870d9c4bf834e7363921b8a3a584c

Download Submit
C:\Windows\SysWOW64\jbflqwcsnhvdl.exe

Filesize
512KB

MD5
99faabf41ffcc0eb7be40f03eda4a49e

SHA1
b2f216ed60ebabdd40a9842dfd268fea3b8e2cee

SHA256
bd3f48e4f1d60eb3995e041574dbd75ae243e03664a3775c77f631f0d6f04179

SHA512
ba6d4d85b5095dcb5becbd1cf2cc822770462032c4d263a203c57ca2345bb6d58d98175b44a6928feb1a8a341dc6a1e23ec5dc40b711cc0088666045f6da8def

Download Submit
C:\Windows\SysWOW64\judtnyfu.exe

Filesize
512KB

MD5
adaa8d5606d46fbf7196ebe871416a07

SHA1
c0ca23e47ba8637c03c32ca7f6196ef6b4610ee5

SHA256
b6fac3fee9e27051d4840208a515b18f2f87dfbaf818b599b3f0ade0d5138b30

SHA512
68140d4d42ed85227c92ffe26578274fcbf2c522c4b986f6e4e2bb992fc6f5a988d8544383d47781cc15d83e6cd050552b72e1e52994faefb0f530c8eee880cd

Download Submit
C:\Windows\SysWOW64\ngwjhwxmti.exe

Filesize
512KB

MD5
d9acf39d795e971faded368d2f914676

SHA1
b00fedcf56b2e80cd182d8c82974272e4f054f4b

SHA256
dbe27977e6c832dbdc6651e8134b886a73ffab42c215b5fc4832a449dd75f404

SHA512
02a94ae8fbeb9dacc61a10c4abfc130d1f9bc7918c26ad6d566d3b37bcd297289306045efc1ee41057e0f4d91a199b184dce798d4a72c93c7063d0274d7a3cef

Download Submit
C:\Windows\SysWOW64\ujyfdjyfbacesyk.exe

Filesize
512KB

MD5
4b46eb5e3381dc58dc7fe024b27f7957

SHA1
9b10b016b765a98f6b6636b20eae83473b31097d

SHA256
eea3bae824363213a230158ca3e6ee76012e181fe9966afd35ab0ff845f9869d

SHA512
92b69815059bb3b37c6080297bc26ac41fab5144234b9c08651b7687f48f10b532cb1024b530c273195936c852737c28e958ff378c70710379b0a101ddc38d86

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\judtnyfu.exe

Filesize
45KB

MD5
e8d0a210a7de9cb675e1378280b0b6de

SHA1
c2ab939a2766a03bf6c24459cd935c2d580f220d

SHA256
c7c4be5ef5432feb35d5b82dadc75a8e6292be3f6630a23c22c1b66957344d0b

SHA512
e3aed655216ba65313dfc649215cb55b215aa5a3bccb14598d335ada70f6b0d02cc0133b02e755ae53f6e3983c19366dda6364ca91976fb07def3f5eaeb54fb5

Download Submit
memory/2840-47-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2840-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2840-45-0x000000002FDC1000-0x000000002FDC2000-memory.dmp

Filesize
4KB

Download
memory/2840-83-0x000000007152D000-0x0000000071538000-memory.dmp

Filesize
44KB

Download
memory/2840-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download