f1ee0894cbd512511beff6769544b0352496542a2ce369debfbd0ec6eb26c751

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5397924660b1303ae18b98574737138c.exe
Size

512KB
MD5

5397924660b1303ae18b98574737138c
SHA1

2810380a2f4a9740154124b818ce99194104d8d0
SHA256

f1ee0894cbd512511beff6769544b0352496542a2ce369debfbd0ec6eb26c751
SHA512

b8cd82e122c95b6dac9fde33a36941d352ff640d09dd59dee87dee4bdf2c8dbaea1ebfd0cb3bfda5348fcfd46a0b94c0187b1d530c403da03cef1908a675b967
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5h

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	mmzokpgvkb.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	mmzokpgvkb.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mmzokpgvkb.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	mmzokpgvkb.exe

Executes dropped EXE 5 IoCs

pid	Process
2008	mmzokpgvkb.exe
2880	tbxdtriuvjbevbb.exe
2592	wngylwbg.exe
2720	fuvkajgsgludu.exe
2668	wngylwbg.exe

Loads dropped DLL 5 IoCs

pid	Process
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
2008	mmzokpgvkb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	mmzokpgvkb.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\njsfficu = "mmzokpgvkb.exe"	tbxdtriuvjbevbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymruurza = "tbxdtriuvjbevbb.exe"	tbxdtriuvjbevbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "fuvkajgsgludu.exe"	tbxdtriuvjbevbb.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	wngylwbg.exe
File opened (read-only)	\??\o:	wngylwbg.exe
File opened (read-only)	\??\v:	wngylwbg.exe
File opened (read-only)	\??\w:	wngylwbg.exe
File opened (read-only)	\??\b:	wngylwbg.exe
File opened (read-only)	\??\l:	wngylwbg.exe
File opened (read-only)	\??\k:	wngylwbg.exe
File opened (read-only)	\??\q:	wngylwbg.exe
File opened (read-only)	\??\w:	wngylwbg.exe
File opened (read-only)	\??\a:	wngylwbg.exe
File opened (read-only)	\??\j:	mmzokpgvkb.exe
File opened (read-only)	\??\h:	wngylwbg.exe
File opened (read-only)	\??\u:	wngylwbg.exe
File opened (read-only)	\??\v:	wngylwbg.exe
File opened (read-only)	\??\t:	mmzokpgvkb.exe
File opened (read-only)	\??\i:	wngylwbg.exe
File opened (read-only)	\??\x:	wngylwbg.exe
File opened (read-only)	\??\q:	mmzokpgvkb.exe
File opened (read-only)	\??\m:	mmzokpgvkb.exe
File opened (read-only)	\??\p:	mmzokpgvkb.exe
File opened (read-only)	\??\u:	mmzokpgvkb.exe
File opened (read-only)	\??\v:	mmzokpgvkb.exe
File opened (read-only)	\??\b:	wngylwbg.exe
File opened (read-only)	\??\e:	wngylwbg.exe
File opened (read-only)	\??\g:	wngylwbg.exe
File opened (read-only)	\??\i:	mmzokpgvkb.exe
File opened (read-only)	\??\x:	wngylwbg.exe
File opened (read-only)	\??\g:	wngylwbg.exe
File opened (read-only)	\??\u:	wngylwbg.exe
File opened (read-only)	\??\w:	mmzokpgvkb.exe
File opened (read-only)	\??\k:	wngylwbg.exe
File opened (read-only)	\??\r:	wngylwbg.exe
File opened (read-only)	\??\t:	wngylwbg.exe
File opened (read-only)	\??\g:	mmzokpgvkb.exe
File opened (read-only)	\??\s:	wngylwbg.exe
File opened (read-only)	\??\z:	wngylwbg.exe
File opened (read-only)	\??\e:	mmzokpgvkb.exe
File opened (read-only)	\??\h:	mmzokpgvkb.exe
File opened (read-only)	\??\s:	mmzokpgvkb.exe
File opened (read-only)	\??\y:	wngylwbg.exe
File opened (read-only)	\??\h:	wngylwbg.exe
File opened (read-only)	\??\q:	wngylwbg.exe
File opened (read-only)	\??\k:	mmzokpgvkb.exe
File opened (read-only)	\??\n:	mmzokpgvkb.exe
File opened (read-only)	\??\o:	mmzokpgvkb.exe
File opened (read-only)	\??\r:	mmzokpgvkb.exe
File opened (read-only)	\??\z:	mmzokpgvkb.exe
File opened (read-only)	\??\r:	wngylwbg.exe
File opened (read-only)	\??\y:	wngylwbg.exe
File opened (read-only)	\??\b:	mmzokpgvkb.exe
File opened (read-only)	\??\l:	wngylwbg.exe
File opened (read-only)	\??\n:	wngylwbg.exe
File opened (read-only)	\??\j:	wngylwbg.exe
File opened (read-only)	\??\p:	wngylwbg.exe
File opened (read-only)	\??\a:	mmzokpgvkb.exe
File opened (read-only)	\??\m:	wngylwbg.exe
File opened (read-only)	\??\o:	wngylwbg.exe
File opened (read-only)	\??\y:	mmzokpgvkb.exe
File opened (read-only)	\??\n:	wngylwbg.exe
File opened (read-only)	\??\z:	wngylwbg.exe
File opened (read-only)	\??\e:	wngylwbg.exe
File opened (read-only)	\??\j:	wngylwbg.exe
File opened (read-only)	\??\s:	wngylwbg.exe
File opened (read-only)	\??\a:	wngylwbg.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	mmzokpgvkb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	mmzokpgvkb.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/756-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b0000000149f5-5.dat	autoit_exe
behavioral1/files/0x000c0000000122f0-17.dat	autoit_exe
behavioral1/files/0x0009000000015018-33.dat	autoit_exe
behavioral1/files/0x0009000000015018-43.dat	autoit_exe
behavioral1/files/0x0007000000015616-39.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tbxdtriuvjbevbb.exe	5397924660b1303ae18b98574737138c.exe
File created	C:\Windows\SysWOW64\wngylwbg.exe	5397924660b1303ae18b98574737138c.exe
File created	C:\Windows\SysWOW64\mmzokpgvkb.exe	5397924660b1303ae18b98574737138c.exe
File created	C:\Windows\SysWOW64\tbxdtriuvjbevbb.exe	5397924660b1303ae18b98574737138c.exe
File created	C:\Windows\SysWOW64\fuvkajgsgludu.exe	5397924660b1303ae18b98574737138c.exe
File opened for modification	C:\Windows\SysWOW64\fuvkajgsgludu.exe	5397924660b1303ae18b98574737138c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	mmzokpgvkb.exe
File opened for modification	C:\Windows\SysWOW64\mmzokpgvkb.exe	5397924660b1303ae18b98574737138c.exe
File opened for modification	C:\Windows\SysWOW64\wngylwbg.exe	5397924660b1303ae18b98574737138c.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wngylwbg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	wngylwbg.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	wngylwbg.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wngylwbg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wngylwbg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	wngylwbg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wngylwbg.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	wngylwbg.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	5397924660b1303ae18b98574737138c.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FACDFE65F1E284743A4386EB3E94B38902FE4311033CE2C8429B08A8"	5397924660b1303ae18b98574737138c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	mmzokpgvkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	mmzokpgvkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	mmzokpgvkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	mmzokpgvkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	mmzokpgvkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "334E2C0C9D2383506A3777D070212DD87D8564DB"	5397924660b1303ae18b98574737138c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67C14E0DBBEB9C17FE6EC9434C8"	5397924660b1303ae18b98574737138c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	mmzokpgvkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2476	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
756	5397924660b1303ae18b98574737138c.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2668	wngylwbg.exe
2668	wngylwbg.exe
2668	wngylwbg.exe
2668	wngylwbg.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2880	tbxdtriuvjbevbb.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2668	wngylwbg.exe
2668	wngylwbg.exe
2668	wngylwbg.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
756	5397924660b1303ae18b98574737138c.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2008	mmzokpgvkb.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2592	wngylwbg.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2880	tbxdtriuvjbevbb.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2720	fuvkajgsgludu.exe
2668	wngylwbg.exe
2668	wngylwbg.exe
2668	wngylwbg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2476	WINWORD.EXE
2476	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2008	756	5397924660b1303ae18b98574737138c.exe	28
PID 756 wrote to memory of 2008	756	5397924660b1303ae18b98574737138c.exe	28
PID 756 wrote to memory of 2008	756	5397924660b1303ae18b98574737138c.exe	28
PID 756 wrote to memory of 2008	756	5397924660b1303ae18b98574737138c.exe	28
PID 756 wrote to memory of 2880	756	5397924660b1303ae18b98574737138c.exe	33
PID 756 wrote to memory of 2880	756	5397924660b1303ae18b98574737138c.exe	33
PID 756 wrote to memory of 2880	756	5397924660b1303ae18b98574737138c.exe	33
PID 756 wrote to memory of 2880	756	5397924660b1303ae18b98574737138c.exe	33
PID 756 wrote to memory of 2592	756	5397924660b1303ae18b98574737138c.exe	32
PID 756 wrote to memory of 2592	756	5397924660b1303ae18b98574737138c.exe	32
PID 756 wrote to memory of 2592	756	5397924660b1303ae18b98574737138c.exe	32
PID 756 wrote to memory of 2592	756	5397924660b1303ae18b98574737138c.exe	32
PID 756 wrote to memory of 2720	756	5397924660b1303ae18b98574737138c.exe	29
PID 756 wrote to memory of 2720	756	5397924660b1303ae18b98574737138c.exe	29
PID 756 wrote to memory of 2720	756	5397924660b1303ae18b98574737138c.exe	29
PID 756 wrote to memory of 2720	756	5397924660b1303ae18b98574737138c.exe	29
PID 2008 wrote to memory of 2668	2008	mmzokpgvkb.exe	30
PID 2008 wrote to memory of 2668	2008	mmzokpgvkb.exe	30
PID 2008 wrote to memory of 2668	2008	mmzokpgvkb.exe	30
PID 2008 wrote to memory of 2668	2008	mmzokpgvkb.exe	30
PID 756 wrote to memory of 2476	756	5397924660b1303ae18b98574737138c.exe	31
PID 756 wrote to memory of 2476	756	5397924660b1303ae18b98574737138c.exe	31
PID 756 wrote to memory of 2476	756	5397924660b1303ae18b98574737138c.exe	31
PID 756 wrote to memory of 2476	756	5397924660b1303ae18b98574737138c.exe	31
PID 2476 wrote to memory of 2760	2476	WINWORD.EXE	36
PID 2476 wrote to memory of 2760	2476	WINWORD.EXE	36
PID 2476 wrote to memory of 2760	2476	WINWORD.EXE	36
PID 2476 wrote to memory of 2760	2476	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\5397924660b1303ae18b98574737138c.exe
"C:\Users\Admin\AppData\Local\Temp\5397924660b1303ae18b98574737138c.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756
- C:\Windows\SysWOW64\mmzokpgvkb.exe
  mmzokpgvkb.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\wngylwbg.exe
    C:\Windows\system32\wngylwbg.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2668
- C:\Windows\SysWOW64\fuvkajgsgludu.exe
  fuvkajgsgludu.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2720
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2760
- C:\Windows\SysWOW64\wngylwbg.exe
  wngylwbg.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2592
- C:\Windows\SysWOW64\tbxdtriuvjbevbb.exe
  tbxdtriuvjbevbb.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9557d2715462e606805cbc88875bc5ce

SHA1
3ee487d905f2fdfc1d33fe71ef3fcebcffbb8388

SHA256
4a1a7c26ad00e6dfe4709f02ff3247994944a8f83f1ddc7f809b9dc6097dc387

SHA512
4d1f947f0b3e7d9b2ed9b69f0605ad0772ab4f63402bb39cf78299819aa24471cd7f975b6496de53bbce49cc4decb800da7cd7730d5a9dec0ef32ba89756b1af

Download Submit
C:\Windows\SysWOW64\fuvkajgsgludu.exe

Filesize
512KB

MD5
f1bd18d8b6a7d7cc415e05118b6a56c3

SHA1
127bcb21c788f639512ee8dc1423209b27f50bb5

SHA256
7dda02a2861aa70409be870ba953c909e44c43ef374ef55fffe3239cb988bb9c

SHA512
43e97ac1df749a331fe5c3dc47bfe1dfb139fec68d4798545b8cd588d9a5f4264156b47b328441ae140056bf33944b178c97dde4224833a9c39897617faf1e28

Download Submit
C:\Windows\SysWOW64\tbxdtriuvjbevbb.exe

Filesize
512KB

MD5
3aa8fbb5051d9d80b9b7b631b2e8d618

SHA1
e54f2224174e5e978789977b84d40b5a504946dd

SHA256
d165f455973d641442db3663fc743c3c89821adea527f6089bb4fa58067f992d

SHA512
314483b2486ff7745031748b63540a61084298cbf549d858ab46f0a7b69c6882c9ada77eb54a370a25efa92525442206dfa05a33373dfc4d7e57d91b633b716f

Download Submit
C:\Windows\SysWOW64\wngylwbg.exe

Filesize
512KB

MD5
c0c69a83e832c67cc3d082995c3d3153

SHA1
8e9cd20c8fd7d3afed6395ff3fef7f7122e85c5f

SHA256
a030e1e6e561bd9f6e829bbc02836e62e6d893dc89bf0aef318a8b3eacb1ae73

SHA512
5115299977af80c42e76964a51d796cb26572d5affc8ca22da3432261dc28c752e25ac0615cfc045ddcff79220bee89b6a9c4627e51d54ab82367860db43f958

Download Submit
C:\Windows\SysWOW64\wngylwbg.exe

Filesize
381KB

MD5
30aec9e0b33fbd99234328357879f812

SHA1
3c9d37139d4ccfe2b694afba9633170d0f510a92

SHA256
15aad0daaaeea2f1eb8d19a8999f42844b2885d6bef949f6787feba7dad46563

SHA512
2060f2cc8c90181dd0a9965f0ff3a94aece08c82c4a68454846f66778bc60dade3ba5ddc38be57311ff4a7bd78217b89a9cd09837eee4b5d9893277299dad415

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\mmzokpgvkb.exe

Filesize
512KB

MD5
a2f0ab23cae0ac9910f00247d05e6d6c

SHA1
808cf6365645c050ea09f07e86fb06a49f9255ce

SHA256
c8db38b74306daec4d88524ea5cfda4e5dddacc593a3068d2c549d41ee32e8e9

SHA512
d6756494c018e027f99fbac96a6c094001bf472f106262b034ec1303cdbc39feb015b95fb79b0fb918cec9c6dfead700229b9d771094a18e945c3cb6b757cc6a

Download Submit
memory/756-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2476-45-0x000000002FF31000-0x000000002FF32000-memory.dmp

Filesize
4KB

Download
memory/2476-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2476-47-0x0000000071A4D000-0x0000000071A58000-memory.dmp

Filesize
44KB

Download
memory/2476-74-0x0000000071A4D000-0x0000000071A58000-memory.dmp

Filesize
44KB

Download
memory/2476-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download