fcfd1141b8e90da874f1c4b663f16167110e5365fc589d4f7aa46a4671abbe0f

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cea8afb117415cfa8eec9d380e396bf.exe
Size

512KB
MD5

1cea8afb117415cfa8eec9d380e396bf
SHA1

57372eff5ec7c50e9d121ab022bd87b9befc6cf9
SHA256

fcfd1141b8e90da874f1c4b663f16167110e5365fc589d4f7aa46a4671abbe0f
SHA512

05146dd8a4d0b5b32e794613e6ea8d7ae660f4ff9466559170b4d3d0e026d4bdc3be0cd5f589e0610d55bf1e8119160057f188f0c23bf3cf40cb14460f7e0d45
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6y:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5F

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	gcyuoowiee.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	gcyuoowiee.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gcyuoowiee.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	gcyuoowiee.exe

Executes dropped EXE 5 IoCs

pid	Process
2756	gcyuoowiee.exe
2820	wwabyedyigpajna.exe
2832	hdskswop.exe
2428	nblokifwdiahi.exe
2636	hdskswop.exe

Loads dropped DLL 5 IoCs

pid	Process
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2756	gcyuoowiee.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	gcyuoowiee.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nblokifwdiahi.exe"	wwabyedyigpajna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapsckcu = "gcyuoowiee.exe"	wwabyedyigpajna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cofudljl = "wwabyedyigpajna.exe"	wwabyedyigpajna.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\j:	hdskswop.exe
File opened (read-only)	\??\q:	hdskswop.exe
File opened (read-only)	\??\p:	hdskswop.exe
File opened (read-only)	\??\r:	gcyuoowiee.exe
File opened (read-only)	\??\s:	hdskswop.exe
File opened (read-only)	\??\h:	gcyuoowiee.exe
File opened (read-only)	\??\p:	gcyuoowiee.exe
File opened (read-only)	\??\x:	hdskswop.exe
File opened (read-only)	\??\l:	hdskswop.exe
File opened (read-only)	\??\q:	hdskswop.exe
File opened (read-only)	\??\s:	gcyuoowiee.exe
File opened (read-only)	\??\m:	hdskswop.exe
File opened (read-only)	\??\u:	gcyuoowiee.exe
File opened (read-only)	\??\a:	gcyuoowiee.exe
File opened (read-only)	\??\q:	gcyuoowiee.exe
File opened (read-only)	\??\t:	hdskswop.exe
File opened (read-only)	\??\t:	gcyuoowiee.exe
File opened (read-only)	\??\l:	hdskswop.exe
File opened (read-only)	\??\y:	gcyuoowiee.exe
File opened (read-only)	\??\p:	hdskswop.exe
File opened (read-only)	\??\w:	hdskswop.exe
File opened (read-only)	\??\n:	hdskswop.exe
File opened (read-only)	\??\z:	hdskswop.exe
File opened (read-only)	\??\y:	hdskswop.exe
File opened (read-only)	\??\z:	gcyuoowiee.exe
File opened (read-only)	\??\m:	hdskswop.exe
File opened (read-only)	\??\x:	hdskswop.exe
File opened (read-only)	\??\g:	gcyuoowiee.exe
File opened (read-only)	\??\i:	gcyuoowiee.exe
File opened (read-only)	\??\l:	gcyuoowiee.exe
File opened (read-only)	\??\x:	gcyuoowiee.exe
File opened (read-only)	\??\h:	hdskswop.exe
File opened (read-only)	\??\u:	hdskswop.exe
File opened (read-only)	\??\b:	hdskswop.exe
File opened (read-only)	\??\j:	hdskswop.exe
File opened (read-only)	\??\v:	hdskswop.exe
File opened (read-only)	\??\y:	hdskswop.exe
File opened (read-only)	\??\h:	hdskswop.exe
File opened (read-only)	\??\b:	gcyuoowiee.exe
File opened (read-only)	\??\n:	hdskswop.exe
File opened (read-only)	\??\g:	hdskswop.exe
File opened (read-only)	\??\i:	hdskswop.exe
File opened (read-only)	\??\m:	gcyuoowiee.exe
File opened (read-only)	\??\k:	hdskswop.exe
File opened (read-only)	\??\s:	hdskswop.exe
File opened (read-only)	\??\z:	hdskswop.exe
File opened (read-only)	\??\o:	hdskswop.exe
File opened (read-only)	\??\k:	gcyuoowiee.exe
File opened (read-only)	\??\i:	hdskswop.exe
File opened (read-only)	\??\r:	hdskswop.exe
File opened (read-only)	\??\k:	hdskswop.exe
File opened (read-only)	\??\n:	gcyuoowiee.exe
File opened (read-only)	\??\e:	gcyuoowiee.exe
File opened (read-only)	\??\a:	hdskswop.exe
File opened (read-only)	\??\w:	hdskswop.exe
File opened (read-only)	\??\o:	hdskswop.exe
File opened (read-only)	\??\a:	hdskswop.exe
File opened (read-only)	\??\v:	hdskswop.exe
File opened (read-only)	\??\o:	gcyuoowiee.exe
File opened (read-only)	\??\w:	gcyuoowiee.exe
File opened (read-only)	\??\e:	hdskswop.exe
File opened (read-only)	\??\u:	hdskswop.exe
File opened (read-only)	\??\j:	gcyuoowiee.exe
File opened (read-only)	\??\v:	gcyuoowiee.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	gcyuoowiee.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	gcyuoowiee.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122e8-5.dat	autoit_exe
behavioral1/files/0x000a000000012243-17.dat	autoit_exe
behavioral1/files/0x0028000000015c63-28.dat	autoit_exe
behavioral1/files/0x0009000000015c9f-34.dat	autoit_exe
behavioral1/files/0x0005000000019371-66.dat	autoit_exe
behavioral1/files/0x000500000001938e-70.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gcyuoowiee.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File opened for modification	C:\Windows\SysWOW64\nblokifwdiahi.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	gcyuoowiee.exe
File opened for modification	C:\Windows\SysWOW64\gcyuoowiee.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File created	C:\Windows\SysWOW64\wwabyedyigpajna.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File opened for modification	C:\Windows\SysWOW64\wwabyedyigpajna.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File created	C:\Windows\SysWOW64\hdskswop.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File opened for modification	C:\Windows\SysWOW64\hdskswop.exe	1cea8afb117415cfa8eec9d380e396bf.exe
File created	C:\Windows\SysWOW64\nblokifwdiahi.exe	1cea8afb117415cfa8eec9d380e396bf.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hdskswop.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	hdskswop.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hdskswop.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hdskswop.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hdskswop.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hdskswop.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	hdskswop.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	1cea8afb117415cfa8eec9d380e396bf.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	gcyuoowiee.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7836BB4FF1F22DBD273D0A58A7A9016"	1cea8afb117415cfa8eec9d380e396bf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	gcyuoowiee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	gcyuoowiee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	gcyuoowiee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	gcyuoowiee.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C7B9D2082236A3376A677212CD77DF464DC"	1cea8afb117415cfa8eec9d380e396bf.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2592	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2832	hdskswop.exe
2832	hdskswop.exe
2832	hdskswop.exe
2832	hdskswop.exe
2820	wwabyedyigpajna.exe
2636	hdskswop.exe
2636	hdskswop.exe
2636	hdskswop.exe
2636	hdskswop.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2820	wwabyedyigpajna.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2832	hdskswop.exe
2832	hdskswop.exe
2832	hdskswop.exe
2636	hdskswop.exe
2636	hdskswop.exe
2636	hdskswop.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2288	1cea8afb117415cfa8eec9d380e396bf.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2756	gcyuoowiee.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2820	wwabyedyigpajna.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2428	nblokifwdiahi.exe
2832	hdskswop.exe
2832	hdskswop.exe
2832	hdskswop.exe
2636	hdskswop.exe
2636	hdskswop.exe
2636	hdskswop.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2592	WINWORD.EXE
2592	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2756	2288	1cea8afb117415cfa8eec9d380e396bf.exe	28
PID 2288 wrote to memory of 2756	2288	1cea8afb117415cfa8eec9d380e396bf.exe	28
PID 2288 wrote to memory of 2756	2288	1cea8afb117415cfa8eec9d380e396bf.exe	28
PID 2288 wrote to memory of 2756	2288	1cea8afb117415cfa8eec9d380e396bf.exe	28
PID 2288 wrote to memory of 2820	2288	1cea8afb117415cfa8eec9d380e396bf.exe	29
PID 2288 wrote to memory of 2820	2288	1cea8afb117415cfa8eec9d380e396bf.exe	29
PID 2288 wrote to memory of 2820	2288	1cea8afb117415cfa8eec9d380e396bf.exe	29
PID 2288 wrote to memory of 2820	2288	1cea8afb117415cfa8eec9d380e396bf.exe	29
PID 2288 wrote to memory of 2832	2288	1cea8afb117415cfa8eec9d380e396bf.exe	30
PID 2288 wrote to memory of 2832	2288	1cea8afb117415cfa8eec9d380e396bf.exe	30
PID 2288 wrote to memory of 2832	2288	1cea8afb117415cfa8eec9d380e396bf.exe	30
PID 2288 wrote to memory of 2832	2288	1cea8afb117415cfa8eec9d380e396bf.exe	30
PID 2288 wrote to memory of 2428	2288	1cea8afb117415cfa8eec9d380e396bf.exe	31
PID 2288 wrote to memory of 2428	2288	1cea8afb117415cfa8eec9d380e396bf.exe	31
PID 2288 wrote to memory of 2428	2288	1cea8afb117415cfa8eec9d380e396bf.exe	31
PID 2288 wrote to memory of 2428	2288	1cea8afb117415cfa8eec9d380e396bf.exe	31
PID 2756 wrote to memory of 2636	2756	gcyuoowiee.exe	33
PID 2756 wrote to memory of 2636	2756	gcyuoowiee.exe	33
PID 2756 wrote to memory of 2636	2756	gcyuoowiee.exe	33
PID 2756 wrote to memory of 2636	2756	gcyuoowiee.exe	33
PID 2288 wrote to memory of 2592	2288	1cea8afb117415cfa8eec9d380e396bf.exe	32
PID 2288 wrote to memory of 2592	2288	1cea8afb117415cfa8eec9d380e396bf.exe	32
PID 2288 wrote to memory of 2592	2288	1cea8afb117415cfa8eec9d380e396bf.exe	32
PID 2288 wrote to memory of 2592	2288	1cea8afb117415cfa8eec9d380e396bf.exe	32
PID 2592 wrote to memory of 1588	2592	WINWORD.EXE	36
PID 2592 wrote to memory of 1588	2592	WINWORD.EXE	36
PID 2592 wrote to memory of 1588	2592	WINWORD.EXE	36
PID 2592 wrote to memory of 1588	2592	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\1cea8afb117415cfa8eec9d380e396bf.exe
"C:\Users\Admin\AppData\Local\Temp\1cea8afb117415cfa8eec9d380e396bf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\gcyuoowiee.exe
  gcyuoowiee.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\hdskswop.exe
    C:\Windows\system32\hdskswop.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2636
- C:\Windows\SysWOW64\wwabyedyigpajna.exe
  wwabyedyigpajna.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2820
- C:\Windows\SysWOW64\hdskswop.exe
  hdskswop.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2832
- C:\Windows\SysWOW64\nblokifwdiahi.exe
  nblokifwdiahi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2428
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
8d06cc80acb50a6ceb7aed466f971ad3

SHA1
3ff3ad91b7a93be64f7aac2a2d45f29a4447b254

SHA256
ba69856ee8634bc1ad65cbaa81dc1bf4888316bf5c631b963ba9f73c1970e1fd

SHA512
333c119f7f2a1136666d43fede7166963a075fbc0d25c5a2d4f0073c93ac1c34f6409609f691f4831bf1e435d8a60a3b29ed9a8e49b637100fc393c98f5f9d3d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
19d7aef066200e081cb58bece81dcc0e

SHA1
2f4b47eb6f227f81a1c7571a19a4632271579284

SHA256
9b68a5c3dc8d2dd3a66e1f93fdfbc7087fe2e8624f35ca2758871ee25a57d7e9

SHA512
3ccecfda9c44e1e6765e071e7ebb7989ba96dce7d5c23c91889f97860c9951cff9df9df0177e64473cd87dd3b86dce1d5a49e33a13f1389b04ea5e849d58a633

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
698101c076624007e41b82b8fa9fdcc1

SHA1
ce33f195ec38fbe77f743805f22db6e8656aea73

SHA256
8731c1ad6cda080fb6608cf543b37a78ae6ff409cf03e37d873c7815c74d067d

SHA512
a56bf9eeaa16d0dd4914374be95dc7cdc92dec343a9bbe9497e9fd58f7afca7432b12ab1da3b80136504ad55c70d802b542ed0b8e1bdec03806d9c2ecf071d84

Download Submit
C:\Windows\SysWOW64\wwabyedyigpajna.exe

Filesize
512KB

MD5
4dbde51f6e2b45cb575f1c84e33c5c5f

SHA1
9341ccaf0f52d766f96bf83b0fc67f3af9fc7457

SHA256
3dccf93c1b325d097c6797aa24d03370b09a2099598942348462a6f7ebd47623

SHA512
260b103498e25a99a4e5fc0f969900f780db7fbff356f727ebec01a9304b95d9d4276c5ad05739cef6c6528d22031b446cb660d8cbb727cad8d14d8559a4267e

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\gcyuoowiee.exe

Filesize
512KB

MD5
50152144df9a480da952ecd45a0f7f33

SHA1
4289b38d1f612e4d95499947970c5b8d2e3b3338

SHA256
cb1096138ac44131a454be2ca6d12fdbc1262af68da761de503495e9d0dee7cf

SHA512
2348d2d3b0042b15618eaf32e7d40ee14be7474c47d5c88865f26c104ce562916f25174fde965da9c0a61889ddb224b4f9e8a84eb08240aa1573feaff95a1e8b

Download Submit
\Windows\SysWOW64\hdskswop.exe

Filesize
512KB

MD5
d2985b03e04294a4e834faba0f4401cd

SHA1
5f9207f23d2d2ea09cefdf60a4eb0b1c9cbf42d8

SHA256
029e614ccb7df544c773c8968499b03e1a6a9a422a3e55a7a3d48bd298a21442

SHA512
55919494e8164246045bea1103cc7d9f0dfefb6242e882a89587ac11baf2c2548d3a0c626df82dcfcb1451f98f6eff8a1741192c325d7ac9bf0d8e8b77703b51

Download Submit
\Windows\SysWOW64\nblokifwdiahi.exe

Filesize
512KB

MD5
90e74d608e21d58b55967af4ef1080ab

SHA1
f660868d656afbf4dfa536716c62618ff6a459f5

SHA256
4ef771a4f09b168b29e88b4b8017b394c9f77f8145e378a2a36af02b383d0c97

SHA512
4263aaab25af8664eb958f35e8e5ea429ceaf9da9b1d09c1721d78e7f19919709048b2f9c522d182f7cad8487636b2b707ca5c688bacc19803259680cfa15c29

Download Submit
memory/2288-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2592-47-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2592-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2592-45-0x000000002F701000-0x000000002F702000-memory.dmp

Filesize
4KB

Download
memory/2592-73-0x0000000070EFD000-0x0000000070F08000-memory.dmp

Filesize
44KB

Download
memory/2592-94-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download