9f93f8f5e71266c7001be5bfa04830fc68f8a697b014d04058d1cf5417c5fbd7

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

39409cd656c0bc7567e2c8352dcc2236.exe
Size

512KB
MD5

39409cd656c0bc7567e2c8352dcc2236
SHA1

0b4ded3b48affa28dfc075d3a56c6a8ed1ac9479
SHA256

9f93f8f5e71266c7001be5bfa04830fc68f8a697b014d04058d1cf5417c5fbd7
SHA512

d34208d2994a2a7314b2b0c16af693504658f3588bddbba4a31f5aaa75db37814b48584112d2a70e07a871852f7dbb1b90409eea6e5038781fdbc1aecbe3cd2c
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5V

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nptegcoiec.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nptegcoiec.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nptegcoiec.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nptegcoiec.exe

Executes dropped EXE 5 IoCs

pid	Process
2444	nptegcoiec.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2780	awfenawv.exe
2820	awfenawv.exe

Loads dropped DLL 5 IoCs

pid	Process
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
2444	nptegcoiec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nptegcoiec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xsdbxxdr = "nptegcoiec.exe"	bbwdandcvdeyhfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yngjabbc = "bbwdandcvdeyhfh.exe"	bbwdandcvdeyhfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "gzvwvpzomvbeq.exe"	bbwdandcvdeyhfh.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\z:	awfenawv.exe
File opened (read-only)	\??\w:	nptegcoiec.exe
File opened (read-only)	\??\b:	awfenawv.exe
File opened (read-only)	\??\m:	awfenawv.exe
File opened (read-only)	\??\y:	awfenawv.exe
File opened (read-only)	\??\g:	awfenawv.exe
File opened (read-only)	\??\o:	awfenawv.exe
File opened (read-only)	\??\t:	awfenawv.exe
File opened (read-only)	\??\l:	awfenawv.exe
File opened (read-only)	\??\o:	awfenawv.exe
File opened (read-only)	\??\b:	awfenawv.exe
File opened (read-only)	\??\v:	nptegcoiec.exe
File opened (read-only)	\??\g:	awfenawv.exe
File opened (read-only)	\??\e:	awfenawv.exe
File opened (read-only)	\??\o:	nptegcoiec.exe
File opened (read-only)	\??\u:	awfenawv.exe
File opened (read-only)	\??\r:	awfenawv.exe
File opened (read-only)	\??\s:	awfenawv.exe
File opened (read-only)	\??\e:	nptegcoiec.exe
File opened (read-only)	\??\i:	nptegcoiec.exe
File opened (read-only)	\??\j:	nptegcoiec.exe
File opened (read-only)	\??\l:	awfenawv.exe
File opened (read-only)	\??\t:	nptegcoiec.exe
File opened (read-only)	\??\u:	awfenawv.exe
File opened (read-only)	\??\m:	awfenawv.exe
File opened (read-only)	\??\n:	awfenawv.exe
File opened (read-only)	\??\y:	awfenawv.exe
File opened (read-only)	\??\a:	nptegcoiec.exe
File opened (read-only)	\??\x:	awfenawv.exe
File opened (read-only)	\??\a:	awfenawv.exe
File opened (read-only)	\??\x:	nptegcoiec.exe
File opened (read-only)	\??\b:	nptegcoiec.exe
File opened (read-only)	\??\k:	nptegcoiec.exe
File opened (read-only)	\??\i:	awfenawv.exe
File opened (read-only)	\??\j:	awfenawv.exe
File opened (read-only)	\??\n:	awfenawv.exe
File opened (read-only)	\??\q:	awfenawv.exe
File opened (read-only)	\??\x:	awfenawv.exe
File opened (read-only)	\??\v:	awfenawv.exe
File opened (read-only)	\??\m:	nptegcoiec.exe
File opened (read-only)	\??\e:	awfenawv.exe
File opened (read-only)	\??\k:	awfenawv.exe
File opened (read-only)	\??\v:	awfenawv.exe
File opened (read-only)	\??\z:	awfenawv.exe
File opened (read-only)	\??\q:	awfenawv.exe
File opened (read-only)	\??\s:	awfenawv.exe
File opened (read-only)	\??\p:	nptegcoiec.exe
File opened (read-only)	\??\q:	nptegcoiec.exe
File opened (read-only)	\??\z:	nptegcoiec.exe
File opened (read-only)	\??\h:	awfenawv.exe
File opened (read-only)	\??\t:	awfenawv.exe
File opened (read-only)	\??\h:	nptegcoiec.exe
File opened (read-only)	\??\p:	awfenawv.exe
File opened (read-only)	\??\w:	awfenawv.exe
File opened (read-only)	\??\i:	awfenawv.exe
File opened (read-only)	\??\r:	nptegcoiec.exe
File opened (read-only)	\??\s:	nptegcoiec.exe
File opened (read-only)	\??\u:	nptegcoiec.exe
File opened (read-only)	\??\r:	awfenawv.exe
File opened (read-only)	\??\n:	nptegcoiec.exe
File opened (read-only)	\??\k:	awfenawv.exe
File opened (read-only)	\??\y:	nptegcoiec.exe
File opened (read-only)	\??\p:	awfenawv.exe
File opened (read-only)	\??\h:	awfenawv.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	nptegcoiec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	nptegcoiec.exe

AutoIT Executable 9 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3036-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000a00000001225c-5.dat	autoit_exe
behavioral1/files/0x000a000000012233-17.dat	autoit_exe
behavioral1/files/0x0007000000016a9d-36.dat	autoit_exe
behavioral1/files/0x0007000000016a9d-32.dat	autoit_exe
behavioral1/files/0x0026000000016032-28.dat	autoit_exe
behavioral1/files/0x0005000000019523-66.dat	autoit_exe
behavioral1/files/0x000200000000894a-77.dat	autoit_exe
behavioral1/files/0x0005000000019595-88.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\awfenawv.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File opened for modification	C:\Windows\SysWOW64\gzvwvpzomvbeq.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	nptegcoiec.exe
File created	C:\Windows\SysWOW64\awfenawv.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File opened for modification	C:\Windows\SysWOW64\nptegcoiec.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File created	C:\Windows\SysWOW64\bbwdandcvdeyhfh.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File opened for modification	C:\Windows\SysWOW64\bbwdandcvdeyhfh.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File created	C:\Windows\SysWOW64\gzvwvpzomvbeq.exe	39409cd656c0bc7567e2c8352dcc2236.exe
File created	C:\Windows\SysWOW64\nptegcoiec.exe	39409cd656c0bc7567e2c8352dcc2236.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	awfenawv.exe
File opened for modification	C:\Program Files\PopResume.doc.exe	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	awfenawv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	awfenawv.exe
File opened for modification	C:\Program Files\PopResume.doc.exe	awfenawv.exe
File opened for modification	C:\Program Files\PopResume.nal	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	awfenawv.exe
File opened for modification	\??\c:\Program Files\PopResume.doc.exe	awfenawv.exe
File opened for modification	\??\c:\Program Files\PopResume.doc.exe	awfenawv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	awfenawv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	awfenawv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	awfenawv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	awfenawv.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	awfenawv.exe
File created	\??\c:\Program Files\PopResume.doc.exe	awfenawv.exe
File opened for modification	C:\Program Files\PopResume.nal	awfenawv.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	awfenawv.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	awfenawv.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	39409cd656c0bc7567e2c8352dcc2236.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342D789D2D83236A4476D370522CD77DF464DA"	39409cd656c0bc7567e2c8352dcc2236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	nptegcoiec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	nptegcoiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	nptegcoiec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	nptegcoiec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67F15E5DAB1B8BC7CE6EDE734CA"	39409cd656c0bc7567e2c8352dcc2236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	nptegcoiec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FCAB02D4793399853BFBAD33392D4B9"	39409cd656c0bc7567e2c8352dcc2236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	nptegcoiec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	nptegcoiec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2684	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2444	nptegcoiec.exe
2444	nptegcoiec.exe
2444	nptegcoiec.exe
2444	nptegcoiec.exe
2444	nptegcoiec.exe
2780	awfenawv.exe
2780	awfenawv.exe
2780	awfenawv.exe
2780	awfenawv.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2820	awfenawv.exe
2820	awfenawv.exe
2820	awfenawv.exe
2820	awfenawv.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2676	bbwdandcvdeyhfh.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
2676	bbwdandcvdeyhfh.exe
2444	nptegcoiec.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2444	nptegcoiec.exe
2444	nptegcoiec.exe
2780	awfenawv.exe
2780	awfenawv.exe
2780	awfenawv.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2820	awfenawv.exe
2820	awfenawv.exe
2820	awfenawv.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
3036	39409cd656c0bc7567e2c8352dcc2236.exe
2676	bbwdandcvdeyhfh.exe
2444	nptegcoiec.exe
2676	bbwdandcvdeyhfh.exe
2676	bbwdandcvdeyhfh.exe
2444	nptegcoiec.exe
2444	nptegcoiec.exe
2780	awfenawv.exe
2780	awfenawv.exe
2780	awfenawv.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2580	gzvwvpzomvbeq.exe
2820	awfenawv.exe
2820	awfenawv.exe
2820	awfenawv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	WINWORD.EXE
2684	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2444	3036	39409cd656c0bc7567e2c8352dcc2236.exe	28
PID 3036 wrote to memory of 2444	3036	39409cd656c0bc7567e2c8352dcc2236.exe	28
PID 3036 wrote to memory of 2444	3036	39409cd656c0bc7567e2c8352dcc2236.exe	28
PID 3036 wrote to memory of 2444	3036	39409cd656c0bc7567e2c8352dcc2236.exe	28
PID 3036 wrote to memory of 2676	3036	39409cd656c0bc7567e2c8352dcc2236.exe	29
PID 3036 wrote to memory of 2676	3036	39409cd656c0bc7567e2c8352dcc2236.exe	29
PID 3036 wrote to memory of 2676	3036	39409cd656c0bc7567e2c8352dcc2236.exe	29
PID 3036 wrote to memory of 2676	3036	39409cd656c0bc7567e2c8352dcc2236.exe	29
PID 3036 wrote to memory of 2780	3036	39409cd656c0bc7567e2c8352dcc2236.exe	31
PID 3036 wrote to memory of 2780	3036	39409cd656c0bc7567e2c8352dcc2236.exe	31
PID 3036 wrote to memory of 2780	3036	39409cd656c0bc7567e2c8352dcc2236.exe	31
PID 3036 wrote to memory of 2780	3036	39409cd656c0bc7567e2c8352dcc2236.exe	31
PID 3036 wrote to memory of 2580	3036	39409cd656c0bc7567e2c8352dcc2236.exe	30
PID 3036 wrote to memory of 2580	3036	39409cd656c0bc7567e2c8352dcc2236.exe	30
PID 3036 wrote to memory of 2580	3036	39409cd656c0bc7567e2c8352dcc2236.exe	30
PID 3036 wrote to memory of 2580	3036	39409cd656c0bc7567e2c8352dcc2236.exe	30
PID 2444 wrote to memory of 2820	2444	nptegcoiec.exe	32
PID 2444 wrote to memory of 2820	2444	nptegcoiec.exe	32
PID 2444 wrote to memory of 2820	2444	nptegcoiec.exe	32
PID 2444 wrote to memory of 2820	2444	nptegcoiec.exe	32
PID 3036 wrote to memory of 2684	3036	39409cd656c0bc7567e2c8352dcc2236.exe	33
PID 3036 wrote to memory of 2684	3036	39409cd656c0bc7567e2c8352dcc2236.exe	33
PID 3036 wrote to memory of 2684	3036	39409cd656c0bc7567e2c8352dcc2236.exe	33
PID 3036 wrote to memory of 2684	3036	39409cd656c0bc7567e2c8352dcc2236.exe	33
PID 2684 wrote to memory of 848	2684	WINWORD.EXE	36
PID 2684 wrote to memory of 848	2684	WINWORD.EXE	36
PID 2684 wrote to memory of 848	2684	WINWORD.EXE	36
PID 2684 wrote to memory of 848	2684	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\39409cd656c0bc7567e2c8352dcc2236.exe
"C:\Users\Admin\AppData\Local\Temp\39409cd656c0bc7567e2c8352dcc2236.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Windows\SysWOW64\nptegcoiec.exe
  nptegcoiec.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\awfenawv.exe
    C:\Windows\system32\awfenawv.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2820
- C:\Windows\SysWOW64\bbwdandcvdeyhfh.exe
  bbwdandcvdeyhfh.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2676
- C:\Windows\SysWOW64\gzvwvpzomvbeq.exe
  gzvwvpzomvbeq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2580
- C:\Windows\SysWOW64\awfenawv.exe
  awfenawv.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2780
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
398959fb8a21fdf8d6cdc4dc4c5f4cb8

SHA1
5ef71f38b248a0bd632769a90af0e511a1734bdb

SHA256
acebe78d6addf411d7b7ed4fb84203246e1150e90236545877f7ad8defbf4908

SHA512
ffc26b138ec38ca6c2126ae3f1d9c2ad93a0ccad5e9fe1630f6c03c04c58f14e210658f4df2890995f3e86074c599b32bcd7dec3e0b6e2754ae74e89f133a728

Download Submit
C:\Program Files\PopResume.doc.exe

Filesize
512KB

MD5
8437bf9c277b15bec390abf7d465184b

SHA1
63a90522241a33a4b5803f43d2006b6716cb1764

SHA256
1b064cab404e18f7e4c01e0e97151a0e24ead884f9788cdc49208961513c4fe6

SHA512
e6c2bb3f744c4e48ad9678a56e87fc6c9c14595d07082b2d389021fe820c65e90f1b993d8f0e2cadada5d7a77c9b18ade28977fba693a157eb0966accf6cd2b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
8288a4477553152a8f8a05a2666776da

SHA1
4ea509870d59bce10aceb5a76be7ab24a042ac7d

SHA256
951beed5bd4e7285070ae8d13078b0f1bcd87f76a781fbe148e5a787d67f28ec

SHA512
cba108f86a6b5565ed929edc508cd2606fce2ed593988d8c953a5befaa232607b7a2b4e378732ecfc75277ce1eec8e1332bba6dd3e61a46a25945da8ffb489ed

Download Submit
C:\Users\Admin\Music\ConvertToOut.doc.exe

Filesize
512KB

MD5
afb78626d1ec900020ee319c795c2f50

SHA1
a570c5e5c00d635b3d59aba9d64abc22556165f2

SHA256
4f6a9ed5e896d4064cffc9136205bc52248eda83b93c8eb5cfa51ace259935fb

SHA512
8314e3f564082468569fbea4baa5d1524e2fdf10001707ab6b28a3c1d0d47b5968d245cfa5e2301a88a24b65028b30de839fc9c530c50d4206d94daaa3511231

Download Submit
C:\Windows\SysWOW64\bbwdandcvdeyhfh.exe

Filesize
512KB

MD5
0f2980cab89b0ae09797c387fd583da0

SHA1
1117806393cb7814fac7abbdd1bc0d86ca6d514a

SHA256
6dffb826e6f3ab69571895dbacf834a158d2089c7b86edc5da3e58a577f487a4

SHA512
fc581dd4d1e671450f0e9aa9de4b5b9efe9ca92e593421410cec60bde0e41896ff5a967d56b8dc7e7bc2d880e43d46e55bf11c9608c70a0b10eb2ea295db03b8

Download Submit
C:\Windows\SysWOW64\gzvwvpzomvbeq.exe

Filesize
512KB

MD5
5421cb1cbba708b4ea0c07a64e19ffed

SHA1
9667419b526c83905b2456a5cc3b17cb320ba48c

SHA256
d3ff18b4c4808393aaed293e30733cb03eab694e34439d82e77b5cc9e9c16cad

SHA512
f89a18405de14bb7d0da267798935e952f29d6161e007c7f298976e9099ab72217eeca283032818d8cf764efe4bc1c9e86c722b1c192e5050fff5e1f8e1d075d

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\awfenawv.exe

Filesize
512KB

MD5
7c0cfb70066e1b873ca74acdaf99760f

SHA1
d15b3c3bbd304ce7e324771e3a056fdac1a82350

SHA256
17eca678693e182f268fb261fcd65859e7c564ed2b0847532740acf1e63c6456

SHA512
544b89fcef5d3c214de6160e7e27e80c2d5d6e19a00dfe54ffb624afa9ff81cea11db25b5958d0d35d4e3031bea2e82f821e6756cab8799ce80cc70eaf332923

Download Submit
\Windows\SysWOW64\gzvwvpzomvbeq.exe

Filesize
512KB

MD5
b1fb52887791a0a2ae039bcf7c30a9ea

SHA1
6fb8ed2e5a9782f48ded39b6d05f2a937ff3e4c6

SHA256
211a8996757e59bc0ade3be60552da2668ecf8873d79abfba9bd8945002b9d55

SHA512
1a3a0c4896e3343a2fb1cac877c3e0753c005511c6c51bcc9dd0fbd83028ad3a61693ce6fb97bc3c3d08a780d78f7598db82269f7f101474adfbee7f2eec01db

Download Submit
\Windows\SysWOW64\nptegcoiec.exe

Filesize
512KB

MD5
f9e5e60af311f4f82bddc031710ed42d

SHA1
ccc6c4eae5f5f1f8b956d550531681f6d03eb439

SHA256
d09e6c9d9bfae659e1f48a713591b79048ee30be912624a4003b5f5bb11852f9

SHA512
a84b773d7ee8646d88f93bc97d3b6fbf11860e804f9d7d4190f4ea737aecf857594094055bb610806d0d9578ba888404671ec45bb357b713f95cce9757815e2f

Download Submit
memory/2684-47-0x000000007174D000-0x0000000071758000-memory.dmp

Filesize
44KB

Download
memory/2684-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-45-0x000000002F141000-0x000000002F142000-memory.dmp

Filesize
4KB

Download
memory/2684-90-0x000000007174D000-0x0000000071758000-memory.dmp

Filesize
44KB

Download
memory/2684-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3036-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download