d1d0d3b022780ccea9bd6c77e69183d26914460d750046e8becb48d3f0b5949f

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 06:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c6df525405b712ffb465a4cd4a506e0.exe
Size

512KB
MD5

2c6df525405b712ffb465a4cd4a506e0
SHA1

8717010eed5776ec49d094441a819e515d7897b4
SHA256

d1d0d3b022780ccea9bd6c77e69183d26914460d750046e8becb48d3f0b5949f
SHA512

a95d163348d21223d103a1c71c6c33fe5a74d30fb592854e59c46e5d602b9939883d70f135302608544e2c65da52c0e28a16d3d5906b991ed31804a810355904
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6D:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5K

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	zwswrrscdo.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	zwswrrscdo.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	zwswrrscdo.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zwswrrscdo.exe

Executes dropped EXE 5 IoCs

pid	Process
2828	zwswrrscdo.exe
2372	iyzmpttbhbxzkyu.exe
2688	wwjwnmic.exe
2956	qvtshoythvjdy.exe
2636	wwjwnmic.exe

Loads dropped DLL 5 IoCs

pid	Process
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2828	zwswrrscdo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	zwswrrscdo.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zmdfvmkc = "zwswrrscdo.exe"	iyzmpttbhbxzkyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ssctkscg = "iyzmpttbhbxzkyu.exe"	iyzmpttbhbxzkyu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "qvtshoythvjdy.exe"	iyzmpttbhbxzkyu.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	zwswrrscdo.exe
File opened (read-only)	\??\v:	wwjwnmic.exe
File opened (read-only)	\??\l:	wwjwnmic.exe
File opened (read-only)	\??\b:	wwjwnmic.exe
File opened (read-only)	\??\y:	wwjwnmic.exe
File opened (read-only)	\??\x:	wwjwnmic.exe
File opened (read-only)	\??\x:	wwjwnmic.exe
File opened (read-only)	\??\h:	zwswrrscdo.exe
File opened (read-only)	\??\a:	wwjwnmic.exe
File opened (read-only)	\??\b:	wwjwnmic.exe
File opened (read-only)	\??\e:	wwjwnmic.exe
File opened (read-only)	\??\i:	wwjwnmic.exe
File opened (read-only)	\??\p:	wwjwnmic.exe
File opened (read-only)	\??\w:	wwjwnmic.exe
File opened (read-only)	\??\t:	wwjwnmic.exe
File opened (read-only)	\??\v:	wwjwnmic.exe
File opened (read-only)	\??\h:	wwjwnmic.exe
File opened (read-only)	\??\i:	wwjwnmic.exe
File opened (read-only)	\??\k:	wwjwnmic.exe
File opened (read-only)	\??\o:	wwjwnmic.exe
File opened (read-only)	\??\u:	wwjwnmic.exe
File opened (read-only)	\??\o:	wwjwnmic.exe
File opened (read-only)	\??\u:	zwswrrscdo.exe
File opened (read-only)	\??\z:	zwswrrscdo.exe
File opened (read-only)	\??\r:	wwjwnmic.exe
File opened (read-only)	\??\m:	wwjwnmic.exe
File opened (read-only)	\??\s:	wwjwnmic.exe
File opened (read-only)	\??\a:	wwjwnmic.exe
File opened (read-only)	\??\j:	wwjwnmic.exe
File opened (read-only)	\??\q:	wwjwnmic.exe
File opened (read-only)	\??\y:	wwjwnmic.exe
File opened (read-only)	\??\m:	wwjwnmic.exe
File opened (read-only)	\??\u:	wwjwnmic.exe
File opened (read-only)	\??\a:	zwswrrscdo.exe
File opened (read-only)	\??\r:	wwjwnmic.exe
File opened (read-only)	\??\e:	zwswrrscdo.exe
File opened (read-only)	\??\m:	zwswrrscdo.exe
File opened (read-only)	\??\q:	wwjwnmic.exe
File opened (read-only)	\??\b:	zwswrrscdo.exe
File opened (read-only)	\??\i:	zwswrrscdo.exe
File opened (read-only)	\??\n:	wwjwnmic.exe
File opened (read-only)	\??\z:	wwjwnmic.exe
File opened (read-only)	\??\j:	zwswrrscdo.exe
File opened (read-only)	\??\q:	zwswrrscdo.exe
File opened (read-only)	\??\y:	zwswrrscdo.exe
File opened (read-only)	\??\e:	wwjwnmic.exe
File opened (read-only)	\??\g:	wwjwnmic.exe
File opened (read-only)	\??\t:	wwjwnmic.exe
File opened (read-only)	\??\s:	zwswrrscdo.exe
File opened (read-only)	\??\t:	zwswrrscdo.exe
File opened (read-only)	\??\v:	zwswrrscdo.exe
File opened (read-only)	\??\x:	zwswrrscdo.exe
File opened (read-only)	\??\j:	wwjwnmic.exe
File opened (read-only)	\??\h:	wwjwnmic.exe
File opened (read-only)	\??\n:	zwswrrscdo.exe
File opened (read-only)	\??\o:	zwswrrscdo.exe
File opened (read-only)	\??\w:	wwjwnmic.exe
File opened (read-only)	\??\g:	zwswrrscdo.exe
File opened (read-only)	\??\p:	zwswrrscdo.exe
File opened (read-only)	\??\g:	wwjwnmic.exe
File opened (read-only)	\??\p:	wwjwnmic.exe
File opened (read-only)	\??\l:	wwjwnmic.exe
File opened (read-only)	\??\n:	wwjwnmic.exe
File opened (read-only)	\??\s:	wwjwnmic.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	zwswrrscdo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	zwswrrscdo.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2972-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d0000000122a5-5.dat	autoit_exe
behavioral1/files/0x000a000000012243-17.dat	autoit_exe
behavioral1/files/0x002d0000000135ac-28.dat	autoit_exe
behavioral1/files/0x000d0000000122a5-26.dat	autoit_exe
behavioral1/files/0x000d0000000122a5-30.dat	autoit_exe
behavioral1/files/0x002d0000000135ac-32.dat	autoit_exe
behavioral1/files/0x0008000000013a19-39.dat	autoit_exe
behavioral1/files/0x002d0000000135ac-37.dat	autoit_exe
behavioral1/files/0x0008000000013a19-34.dat	autoit_exe
behavioral1/files/0x0008000000013a19-41.dat	autoit_exe
behavioral1/files/0x002d0000000135ac-43.dat	autoit_exe
behavioral1/files/0x002d0000000135ac-42.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wwjwnmic.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File opened for modification	C:\Windows\SysWOW64\wwjwnmic.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File created	C:\Windows\SysWOW64\qvtshoythvjdy.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File opened for modification	C:\Windows\SysWOW64\qvtshoythvjdy.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File created	C:\Windows\SysWOW64\zwswrrscdo.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File created	C:\Windows\SysWOW64\iyzmpttbhbxzkyu.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File opened for modification	C:\Windows\SysWOW64\iyzmpttbhbxzkyu.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File opened for modification	C:\Windows\SysWOW64\zwswrrscdo.exe	2c6df525405b712ffb465a4cd4a506e0.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	zwswrrscdo.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwjwnmic.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwjwnmic.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwjwnmic.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wwjwnmic.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wwjwnmic.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wwjwnmic.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwjwnmic.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wwjwnmic.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wwjwnmic.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	2c6df525405b712ffb465a4cd4a506e0.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	zwswrrscdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B02D47E4389E53BFBAA6329CD7C5"	2c6df525405b712ffb465a4cd4a506e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC70B15E1DBBFB8CF7FE7EDE434CE"	2c6df525405b712ffb465a4cd4a506e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	zwswrrscdo.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1992	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2972	2c6df525405b712ffb465a4cd4a506e0.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2828	zwswrrscdo.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2372	iyzmpttbhbxzkyu.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2688	wwjwnmic.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2956	qvtshoythvjdy.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe
2636	wwjwnmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1992	WINWORD.EXE
1992	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2828	2972	2c6df525405b712ffb465a4cd4a506e0.exe	28
PID 2972 wrote to memory of 2828	2972	2c6df525405b712ffb465a4cd4a506e0.exe	28
PID 2972 wrote to memory of 2828	2972	2c6df525405b712ffb465a4cd4a506e0.exe	28
PID 2972 wrote to memory of 2828	2972	2c6df525405b712ffb465a4cd4a506e0.exe	28
PID 2972 wrote to memory of 2372	2972	2c6df525405b712ffb465a4cd4a506e0.exe	29
PID 2972 wrote to memory of 2372	2972	2c6df525405b712ffb465a4cd4a506e0.exe	29
PID 2972 wrote to memory of 2372	2972	2c6df525405b712ffb465a4cd4a506e0.exe	29
PID 2972 wrote to memory of 2372	2972	2c6df525405b712ffb465a4cd4a506e0.exe	29
PID 2972 wrote to memory of 2688	2972	2c6df525405b712ffb465a4cd4a506e0.exe	30
PID 2972 wrote to memory of 2688	2972	2c6df525405b712ffb465a4cd4a506e0.exe	30
PID 2972 wrote to memory of 2688	2972	2c6df525405b712ffb465a4cd4a506e0.exe	30
PID 2972 wrote to memory of 2688	2972	2c6df525405b712ffb465a4cd4a506e0.exe	30
PID 2972 wrote to memory of 2956	2972	2c6df525405b712ffb465a4cd4a506e0.exe	31
PID 2972 wrote to memory of 2956	2972	2c6df525405b712ffb465a4cd4a506e0.exe	31
PID 2972 wrote to memory of 2956	2972	2c6df525405b712ffb465a4cd4a506e0.exe	31
PID 2972 wrote to memory of 2956	2972	2c6df525405b712ffb465a4cd4a506e0.exe	31
PID 2828 wrote to memory of 2636	2828	zwswrrscdo.exe	32
PID 2828 wrote to memory of 2636	2828	zwswrrscdo.exe	32
PID 2828 wrote to memory of 2636	2828	zwswrrscdo.exe	32
PID 2828 wrote to memory of 2636	2828	zwswrrscdo.exe	32
PID 2972 wrote to memory of 1992	2972	2c6df525405b712ffb465a4cd4a506e0.exe	33
PID 2972 wrote to memory of 1992	2972	2c6df525405b712ffb465a4cd4a506e0.exe	33
PID 2972 wrote to memory of 1992	2972	2c6df525405b712ffb465a4cd4a506e0.exe	33
PID 2972 wrote to memory of 1992	2972	2c6df525405b712ffb465a4cd4a506e0.exe	33
PID 1992 wrote to memory of 2468	1992	WINWORD.EXE	36
PID 1992 wrote to memory of 2468	1992	WINWORD.EXE	36
PID 1992 wrote to memory of 2468	1992	WINWORD.EXE	36
PID 1992 wrote to memory of 2468	1992	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\2c6df525405b712ffb465a4cd4a506e0.exe
"C:\Users\Admin\AppData\Local\Temp\2c6df525405b712ffb465a4cd4a506e0.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\zwswrrscdo.exe
  zwswrrscdo.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\wwjwnmic.exe
    C:\Windows\system32\wwjwnmic.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2636
- C:\Windows\SysWOW64\iyzmpttbhbxzkyu.exe
  iyzmpttbhbxzkyu.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2372
- C:\Windows\SysWOW64\wwjwnmic.exe
  wwjwnmic.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2688
- C:\Windows\SysWOW64\qvtshoythvjdy.exe
  qvtshoythvjdy.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2956
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
e67952dd31c72546bf2c2475d3e67e36

SHA1
fdd812ae31e25bd58d12a965bfc17351524e578b

SHA256
b6200064d69974fc87ca4a4ad9bdf63471224a57b5317ba704eae36ed4e39e60

SHA512
c72a27fca78b30a2b08bf0c270151d39fcf805d726dc341d9030cf033383f9cee7f9016e20bf3fffa44082fdad372efecc51b5ea04b81e6cd8e272642897f0f9

Download Submit
C:\Windows\SysWOW64\iyzmpttbhbxzkyu.exe

Filesize
276KB

MD5
3f18e2ec3cce820b0f347f267b2bb5b2

SHA1
bfc919324e1e4d504cda4cf181709f7559e941d6

SHA256
d632c583a90ac9d8a4223c90a610a05d022f130304ea6800d569fd972c0eb204

SHA512
8701abbd38b9c476638e18dbfec073ee8213f764935b018baa707c81aef7a48c821ecac11f9fd42eb99550a9b2195c8c84bbf697b965ad0b3d8a2ff637fd73f6

Download Submit
C:\Windows\SysWOW64\iyzmpttbhbxzkyu.exe

Filesize
125KB

MD5
3464558e2ad42711aafa544216be736a

SHA1
e671d98fc58ac3884f670b7c5dcd24c058aea8fa

SHA256
bd383e6009a6f5fabc8eb39c370e8694b938b41444d984fa6db369acf6a408ee

SHA512
03dae1c6dfdf9304d85e30d3e0b230ef3564433aff1c000be607eb56aac47990b360ab1b78506b5058671b69e499dcec969177d161b48f13b6c3d653c387638c

Download Submit
C:\Windows\SysWOW64\iyzmpttbhbxzkyu.exe

Filesize
512KB

MD5
c78e18ac590fc241e054cb759200a27e

SHA1
3c404aed3cac7a334d23984f5d220534468dbfab

SHA256
4c6ce65ac98df3be49e9361bf10e684e48f17ad06d877a197b6deb20395bb8af

SHA512
34b5da3f3ac60d2a806edcad8c2d792f5b78dbc196044b42f2d3dc0dd2936de44d627789d7aeb469c8dcb28258d42222b8aff1cfdc54c9069205d7eb6aed01ef

Download Submit
C:\Windows\SysWOW64\qvtshoythvjdy.exe

Filesize
147KB

MD5
26cb4c49a4176c2de61a88512df9d48e

SHA1
c23569afaaa2171462e23df054904efa6d11b741

SHA256
9395826d1b9d24c264bf9dabebeecf4646ddcf715aaf37f34cc096fcda0717ad

SHA512
88fe16b9bf7ad8291e0e320e0f3e73ae272a9cd4a55a3f38422cdda6300db948ed40b88a5223b89f2806be227cf12a764b9e4631176703c344d4848d0aaa3e06

Download Submit
C:\Windows\SysWOW64\qvtshoythvjdy.exe

Filesize
57KB

MD5
c88093b755557c815e20b25c9f61fb83

SHA1
4c2efc6656e0919c798f0dda31fb428a3ab0ff83

SHA256
699b2a29dbd9e361330b121f573dfdfffbb2e64458bd03a97742ad4b3665408b

SHA512
060c4d5cf40f16d771f2f7b860174c27d2faf2ea1f04e57463c7f8918a7f969a17e885a339506a09cef018dc4209dfbb179d6722b3758249aa7c9aaec0364be3

Download Submit
C:\Windows\SysWOW64\wwjwnmic.exe

Filesize
185KB

MD5
0eff34753b1afebebf7e550278e050b0

SHA1
8a8bd4b4db81b270b110d76c593b407e43967a55

SHA256
68514af7086f5970d7fb773b9f0b2f5316c505a6a1419fa5ce1d3e9ca545fb43

SHA512
2e723730483e30aebb4c20f0a2d66896dc3aa7e62b00871c66d62ef5780d3ee2f67b15289ac36e9b2f7a5e0459c0aebd8a8090ee44ab541779ae77166b544cd0

Download Submit
C:\Windows\SysWOW64\wwjwnmic.exe

Filesize
106KB

MD5
5821fc2dcd3b81b5875cb0b2c1a499d6

SHA1
a142534652d9ee6b24ff96c69ff8e980e2ab6712

SHA256
07d60bd4c17743aa867a0345c7084096c6dd6ae43b725b17c3291140eefba3b5

SHA512
50da6707c956ee4e6d1b1f707f9550efa2950221274d93b3a8188a2d6dc6296e93c24cf1d95c8bdbb5e35aaa384053a592b003584cba19b19cb390d9f15caa4a

Download Submit
C:\Windows\SysWOW64\wwjwnmic.exe

Filesize
11KB

MD5
d6bec1cdf3cb2b3e7fbef5c9b3c48b69

SHA1
fe395fa2755ae1e61fdc2109fb45692b4065d498

SHA256
003a115c9399a381d09feef3eea661fa5bcd7c3bfa9c35c406e759df55d49683

SHA512
3ba13d9821e7005519898f8943876756c58aa91fd1761e557691534e328998a31f3ead40da19687f30e8c1ceac00e5b9da338a246bcc46a67880b3493207ae34

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\qvtshoythvjdy.exe

Filesize
271KB

MD5
dc7ce483a138bc0da4981c5a71df1b3c

SHA1
2a854bddd33ecd1e33cbf34f389285b288a667c2

SHA256
fd6a7c8b04c8cbf86ccf1f09295e7b41f29efcdeadd577d9126bdb8989cd7be5

SHA512
a9c3111488713d0ec4c4bfea8b153c5aebf140fb01558c7cdb4679b371970bc8c2b57635b5f85147d7d583be3f3479b97c2dacb4aa99a43e36c2489d40cefa20

Download Submit
\Windows\SysWOW64\wwjwnmic.exe

Filesize
494KB

MD5
708c2995d86bfa6e570ed0348148069d

SHA1
fdd48ed0f902bb3afc63ff3cc51039b5f6ed798d

SHA256
07f78641675e7da85d7dadc985f2e6192a5d4bafe4cd609d02a739a0c15913bd

SHA512
a1d83c8c179a3700d5d6760ca1e873c2189bd9bfeeee8193a480988a323850073289d9553bc011fa7359f474a359cb6ead48dd785a115e2b994adfa12b44d8a5

Download Submit
\Windows\SysWOW64\wwjwnmic.exe

Filesize
23KB

MD5
cf25c206edb5885338a2fef2e9fbd4d7

SHA1
ccc8d41970c1cba1e8c5079a73890f054f992560

SHA256
ac9046da307b371893921112b1b9e12a28d7a9286016c542ead5140d7ffb3e1d

SHA512
841905ede681acc05f1806c4bc176fa71d28a3bf9581e5cc7601ada8b0865f162d10831ffe3049df43cbe2babe2183843de5f241b97605f4a8f3ca1bf092bbe0

Download Submit
\Windows\SysWOW64\zwswrrscdo.exe

Filesize
512KB

MD5
4a43b053064fe5ed14185b2be2f4c611

SHA1
dc7260061dbce395358d39b5bee9cbd8006bc50b

SHA256
39a8ea3b426fcbdc6ed80352fcc8ec6c0bc1dcf6e528a7290a37698aa318571b

SHA512
d05e12319df3baaa92b409d8be5b9c94ceb94dc94f7f1188d64de02ecacbab20fc7a338c7b100a0a7aa231ced6019a00c93044c703aefadd4762c05eef2bd13e

Download Submit
memory/1992-45-0x000000002FC31000-0x000000002FC32000-memory.dmp

Filesize
4KB

Download
memory/1992-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1992-47-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/1992-74-0x000000007180D000-0x0000000071818000-memory.dmp

Filesize
44KB

Download
memory/1992-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2972-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download