a025cb33d356a0395c4e098f8f66800ac4bb02eddbd049a26c8957b5bd6a4705

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1624dc9535d5a83f542323e1d0a34e3a.exe
Size

512KB
MD5

1624dc9535d5a83f542323e1d0a34e3a
SHA1

08426e094d6c34ad38d9fd39d83b02e23b6c53c1
SHA256

a025cb33d356a0395c4e098f8f66800ac4bb02eddbd049a26c8957b5bd6a4705
SHA512

9ce3c6f26cedcc4c51aabf7315d734374eb5928349927652389aa836510141a70c6b71461b19fd57d5840c63bbaf37200d57d91b97c2e61666829a4b823d4167
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj60:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5d

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	jnsqzrxica.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jnsqzrxica.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jnsqzrxica.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jnsqzrxica.exe

Executes dropped EXE 5 IoCs

pid	Process
2620	jnsqzrxica.exe
2756	ctetnusaputeptn.exe
2632	ckgtbtwt.exe
2592	kfdgfnimxqduo.exe
2776	ckgtbtwt.exe

Loads dropped DLL 5 IoCs

pid	Process
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2620	jnsqzrxica.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	jnsqzrxica.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfqqvbsk = "jnsqzrxica.exe"	ctetnusaputeptn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hugtxgys = "ctetnusaputeptn.exe"	ctetnusaputeptn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "kfdgfnimxqduo.exe"	ctetnusaputeptn.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	jnsqzrxica.exe
File opened (read-only)	\??\q:	ckgtbtwt.exe
File opened (read-only)	\??\t:	ckgtbtwt.exe
File opened (read-only)	\??\e:	jnsqzrxica.exe
File opened (read-only)	\??\v:	jnsqzrxica.exe
File opened (read-only)	\??\p:	ckgtbtwt.exe
File opened (read-only)	\??\s:	ckgtbtwt.exe
File opened (read-only)	\??\w:	ckgtbtwt.exe
File opened (read-only)	\??\h:	ckgtbtwt.exe
File opened (read-only)	\??\o:	ckgtbtwt.exe
File opened (read-only)	\??\q:	ckgtbtwt.exe
File opened (read-only)	\??\t:	ckgtbtwt.exe
File opened (read-only)	\??\h:	ckgtbtwt.exe
File opened (read-only)	\??\v:	ckgtbtwt.exe
File opened (read-only)	\??\g:	jnsqzrxica.exe
File opened (read-only)	\??\i:	jnsqzrxica.exe
File opened (read-only)	\??\i:	ckgtbtwt.exe
File opened (read-only)	\??\p:	ckgtbtwt.exe
File opened (read-only)	\??\b:	jnsqzrxica.exe
File opened (read-only)	\??\o:	jnsqzrxica.exe
File opened (read-only)	\??\j:	ckgtbtwt.exe
File opened (read-only)	\??\b:	ckgtbtwt.exe
File opened (read-only)	\??\j:	ckgtbtwt.exe
File opened (read-only)	\??\z:	ckgtbtwt.exe
File opened (read-only)	\??\m:	ckgtbtwt.exe
File opened (read-only)	\??\g:	ckgtbtwt.exe
File opened (read-only)	\??\i:	ckgtbtwt.exe
File opened (read-only)	\??\s:	ckgtbtwt.exe
File opened (read-only)	\??\w:	ckgtbtwt.exe
File opened (read-only)	\??\e:	ckgtbtwt.exe
File opened (read-only)	\??\r:	ckgtbtwt.exe
File opened (read-only)	\??\u:	ckgtbtwt.exe
File opened (read-only)	\??\k:	jnsqzrxica.exe
File opened (read-only)	\??\g:	ckgtbtwt.exe
File opened (read-only)	\??\y:	ckgtbtwt.exe
File opened (read-only)	\??\s:	jnsqzrxica.exe
File opened (read-only)	\??\k:	ckgtbtwt.exe
File opened (read-only)	\??\n:	ckgtbtwt.exe
File opened (read-only)	\??\r:	ckgtbtwt.exe
File opened (read-only)	\??\z:	jnsqzrxica.exe
File opened (read-only)	\??\u:	ckgtbtwt.exe
File opened (read-only)	\??\n:	ckgtbtwt.exe
File opened (read-only)	\??\l:	jnsqzrxica.exe
File opened (read-only)	\??\z:	ckgtbtwt.exe
File opened (read-only)	\??\m:	ckgtbtwt.exe
File opened (read-only)	\??\o:	ckgtbtwt.exe
File opened (read-only)	\??\x:	ckgtbtwt.exe
File opened (read-only)	\??\y:	ckgtbtwt.exe
File opened (read-only)	\??\l:	ckgtbtwt.exe
File opened (read-only)	\??\a:	jnsqzrxica.exe
File opened (read-only)	\??\h:	jnsqzrxica.exe
File opened (read-only)	\??\m:	jnsqzrxica.exe
File opened (read-only)	\??\r:	jnsqzrxica.exe
File opened (read-only)	\??\x:	jnsqzrxica.exe
File opened (read-only)	\??\b:	ckgtbtwt.exe
File opened (read-only)	\??\j:	jnsqzrxica.exe
File opened (read-only)	\??\p:	jnsqzrxica.exe
File opened (read-only)	\??\t:	jnsqzrxica.exe
File opened (read-only)	\??\y:	jnsqzrxica.exe
File opened (read-only)	\??\e:	ckgtbtwt.exe
File opened (read-only)	\??\a:	ckgtbtwt.exe
File opened (read-only)	\??\a:	ckgtbtwt.exe
File opened (read-only)	\??\v:	ckgtbtwt.exe
File opened (read-only)	\??\k:	ckgtbtwt.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	jnsqzrxica.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	jnsqzrxica.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b0000000122de-17.dat	autoit_exe
behavioral1/files/0x000b0000000122e4-25.dat	autoit_exe
behavioral1/files/0x000b0000000122e4-33.dat	autoit_exe
behavioral1/files/0x00090000000122f6-34.dat	autoit_exe
behavioral1/files/0x000b0000000122ee-40.dat	autoit_exe
behavioral1/files/0x00090000000122f6-41.dat	autoit_exe
behavioral1/files/0x000b0000000122ee-43.dat	autoit_exe
behavioral1/files/0x000b0000000122ee-42.dat	autoit_exe
behavioral1/files/0x00090000000122f6-38.dat	autoit_exe
behavioral1/files/0x000b0000000122ee-31.dat	autoit_exe
behavioral1/files/0x000b0000000122de-29.dat	autoit_exe
behavioral1/files/0x000b0000000122ee-26.dat	autoit_exe
behavioral1/files/0x000b0000000122e4-22.dat	autoit_exe
behavioral1/files/0x000b0000000122de-20.dat	autoit_exe
behavioral1/files/0x000b0000000122e4-5.dat	autoit_exe
behavioral1/files/0x00070000000133a9-73.dat	autoit_exe
behavioral1/files/0x00070000000132d5-67.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jnsqzrxica.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File opened for modification	C:\Windows\SysWOW64\ctetnusaputeptn.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File created	C:\Windows\SysWOW64\kfdgfnimxqduo.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File opened for modification	C:\Windows\SysWOW64\kfdgfnimxqduo.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	jnsqzrxica.exe
File opened for modification	C:\Windows\SysWOW64\jnsqzrxica.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File created	C:\Windows\SysWOW64\ctetnusaputeptn.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File created	C:\Windows\SysWOW64\ckgtbtwt.exe	1624dc9535d5a83f542323e1d0a34e3a.exe
File opened for modification	C:\Windows\SysWOW64\ckgtbtwt.exe	1624dc9535d5a83f542323e1d0a34e3a.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ckgtbtwt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ckgtbtwt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ckgtbtwt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ckgtbtwt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	ckgtbtwt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ckgtbtwt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	ckgtbtwt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	ckgtbtwt.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	1624dc9535d5a83f542323e1d0a34e3a.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDF9B0F913F2E2837E3A4481983990B38F03F14213033CE2CE459D08A4"	1624dc9535d5a83f542323e1d0a34e3a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FC6BB3FF1C22D9D109D0D38B7A9161"	1624dc9535d5a83f542323e1d0a34e3a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	jnsqzrxica.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	jnsqzrxica.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	jnsqzrxica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	jnsqzrxica.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2608	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2756	ctetnusaputeptn.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2932	1624dc9535d5a83f542323e1d0a34e3a.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2620	jnsqzrxica.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2756	ctetnusaputeptn.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2632	ckgtbtwt.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2592	kfdgfnimxqduo.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe
2776	ckgtbtwt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2608	WINWORD.EXE
2608	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2620	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	22
PID 2932 wrote to memory of 2620	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	22
PID 2932 wrote to memory of 2620	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	22
PID 2932 wrote to memory of 2620	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	22
PID 2932 wrote to memory of 2756	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	20
PID 2932 wrote to memory of 2756	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	20
PID 2932 wrote to memory of 2756	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	20
PID 2932 wrote to memory of 2756	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	20
PID 2932 wrote to memory of 2632	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	19
PID 2932 wrote to memory of 2632	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	19
PID 2932 wrote to memory of 2632	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	19
PID 2932 wrote to memory of 2632	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	19
PID 2932 wrote to memory of 2592	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	18
PID 2932 wrote to memory of 2592	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	18
PID 2932 wrote to memory of 2592	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	18
PID 2932 wrote to memory of 2592	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	18
PID 2620 wrote to memory of 2776	2620	jnsqzrxica.exe	17
PID 2620 wrote to memory of 2776	2620	jnsqzrxica.exe	17
PID 2620 wrote to memory of 2776	2620	jnsqzrxica.exe	17
PID 2620 wrote to memory of 2776	2620	jnsqzrxica.exe	17
PID 2932 wrote to memory of 2608	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	16
PID 2932 wrote to memory of 2608	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	16
PID 2932 wrote to memory of 2608	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	16
PID 2932 wrote to memory of 2608	2932	1624dc9535d5a83f542323e1d0a34e3a.exe	16
PID 2608 wrote to memory of 1356	2608	WINWORD.EXE	36
PID 2608 wrote to memory of 1356	2608	WINWORD.EXE	36
PID 2608 wrote to memory of 1356	2608	WINWORD.EXE	36
PID 2608 wrote to memory of 1356	2608	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\1624dc9535d5a83f542323e1d0a34e3a.exe
"C:\Users\Admin\AppData\Local\Temp\1624dc9535d5a83f542323e1d0a34e3a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1356
- C:\Windows\SysWOW64\kfdgfnimxqduo.exe
  kfdgfnimxqduo.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2592
- C:\Windows\SysWOW64\ckgtbtwt.exe
  ckgtbtwt.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2632
- C:\Windows\SysWOW64\ctetnusaputeptn.exe
  ctetnusaputeptn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2756
- C:\Windows\SysWOW64\jnsqzrxica.exe
  jnsqzrxica.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2620

C:\Windows\SysWOW64\ckgtbtwt.exe
C:\Windows\system32\ckgtbtwt.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
89KB

MD5
f0af0f19423eee0b62d97001da48f53f

SHA1
321ce00a3873a97d2c1c42257c18072eeee676ae

SHA256
73fbeccfa0580de059e745d39f9f14a531b72208f8997a849635ce46f73cdb94

SHA512
ff3478821f4cc0fae0d139d44a59d8ffd69192281db8a3c0a2710851a8e300af363d8822d96e70568993676d32829da80c75f19d6e1d116db2b46e146d82808f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
107KB

MD5
15c1dda5ac9f917de2f4579c3c2b3fd2

SHA1
f41f73a06f0af984452d1db720cf65dca1878e59

SHA256
5161772987dbd14f85ac231afd1ca728c7594b5876456b35d5030eb0d30b45f4

SHA512
ba270a916ff4999f0dd5d08a6ff8171c9e3c25930ca79b9d31a46c90395f6874f688cacd4b6cfb324438028ad6a057adff362a2bb364d0116b354df337e5e685

Download Submit
C:\Windows\SysWOW64\ckgtbtwt.exe

Filesize
77KB

MD5
72c357861e37cced4c658794b5e67fcc

SHA1
2c5755a7d0bc04c5ab2868d0c7afbf0a858bfd8b

SHA256
e445cbd0b2e84e514a27f98b31f26b76cce86aa1fd02a51092a4a27344ce0373

SHA512
65bf0e56310948533d773f75f9c8c57e103212af273a79cfde5fe5d8fccf0ac7c7de318abb6e9ad276604dd6053c0d0f50cc83d230bbb79fb1ee31cff00a6672

Download Submit
C:\Windows\SysWOW64\ckgtbtwt.exe

Filesize
16KB

MD5
50aef5e6e8f949a288d66049453e0ecd

SHA1
d194e926c387b88cb92c6c47fe80392f3ae1889a

SHA256
150bdf79cad23efd9286ee805b863ae9275cc7fa41b8588b8f689a1f61d8d9b2

SHA512
ae12fd2be677cdd9483258fb7553af60b89083a8ce19e00e3970ebf546a04d3b7c4c5a55dad77c881ce81206cf9f5f5b8f59f3aedd5e4744f51f586fe757a9e7

Download Submit
C:\Windows\SysWOW64\ckgtbtwt.exe

Filesize
114KB

MD5
ecf2703d3d6a98d1e11532099f2eba8f

SHA1
6d1c585a8ecbc29799918cabd2ff6bbafa7f3903

SHA256
65d5147836987df9f0b32d6ee4ae31075263c7c234bd542484c512eb4d881f60

SHA512
becbcbb011deea880e50fe83622e1f455ed0ea0567faaf91492a65a81aededcbfeeec69db493dea6094b8f887d3d02ec5384650c66266fadfa21be7ac62be099

Download Submit
C:\Windows\SysWOW64\ctetnusaputeptn.exe

Filesize
94KB

MD5
29988e5e977f58e8215c69596519e9a6

SHA1
7c9642c56773861e1731d173ca8755b851c885a0

SHA256
091916ba8f514ca217c7cb260024a452bf781c10796b07c67de3fbefed427384

SHA512
0b4b74c1571ecb6c8b050ed8b92a89fff19a191d0c65e3d1d117472b3cb19abee5954214d045aa301802b29c312b36cbbf6b32ab51fd24256c0943c0f07308ae

Download Submit
C:\Windows\SysWOW64\ctetnusaputeptn.exe

Filesize
26KB

MD5
f33de7318e8c022758dd3dddb8ce563b

SHA1
2e9de7776a42294d727f02b1df0d79a7f03fc889

SHA256
86e344dd5121ca0b9365f6478a092bfdb909a06a5c9729f59eb6b2f2fff640bd

SHA512
336d6906235cb58cc46a03f71d651ac2429eb9e8b3bb282d09606e7a5d3754922317888a3083a0659fd674f8e3ac7ba09235380a1dfe2896878a5e8fa874fd5a

Download Submit
C:\Windows\SysWOW64\ctetnusaputeptn.exe

Filesize
39KB

MD5
bd0d24be4e9111eee6267d129761aef8

SHA1
fa3364ea1f938958a49308a34e9552f11f81ad09

SHA256
8352411538b5840ed64089f184236db5b2cfe0a7cb281f339ef44722d6bcde79

SHA512
85ccbf82ccd87ebb2be9ddb94d0f6ca638d12ec58a4bdf38ed26dcce78e8e95ca65b64672cc6e160f67e54340121f078c86bf04eabb36a281a007c8d0371f69c

Download Submit
C:\Windows\SysWOW64\jnsqzrxica.exe

Filesize
13KB

MD5
657aee767d56adb6440d8dc01e2fc6c0

SHA1
9e53ad958e40df54d6651248e5d693914c51f8d9

SHA256
c083a95d6b05e2f77448671a81ac7bf0aa15ef1ceee23e85490f274b1963e341

SHA512
274ae1de8a4dba1beaa52a816d128856009f8075377687b0b1b3950f071887a6df91d3de50330144c4ee0c492eea2a32da065bbbe1624863f8a66badd2432310

Download Submit
C:\Windows\SysWOW64\jnsqzrxica.exe

Filesize
71KB

MD5
69811384457a69c24b983e59114dfdfc

SHA1
ef0547eeb7f095932c3e5d36fecf8988e035bf39

SHA256
b4626c2b0d81cd1b29a13412cdda2139f3d064ea3f9f2904ac1b27f9128a1f4b

SHA512
9d1708c989ef03f0fbb3678f16ba0a6b7721dc221e95a39c820f79247c35dc38282eb3a9e26f8c21e81360c5f2ea72c16a3e6fa06fd8476e4d39f626d0a4c15c

Download Submit
C:\Windows\SysWOW64\kfdgfnimxqduo.exe

Filesize
39KB

MD5
aaefc26883609e8b9c2bfd8b1b71f318

SHA1
e7d578ee8da27d21992951d838a1ed76df96c16a

SHA256
83a3ab5c259567522c039a67740709ad1d2b3b28cb19461451eb8cafd0391dd5

SHA512
842488c1c3b3fa2cdfbdaad4ce31766852a58a7707055b6061d17f3e1a747011dc277b234150ea3580046beb7a381f6e5a12e2c09bf690b97bb86198ffe7fce2

Download Submit
C:\Windows\SysWOW64\kfdgfnimxqduo.exe

Filesize
24KB

MD5
675d961924dc905e70752c536c0424a2

SHA1
4d83e019fc0bd075abba101f64115d44c649f4fd

SHA256
01c426fb5a9009a59848bc2982ab17c2688c55176e5233408638c6e58e31d276

SHA512
b6932c6c47bf1c21012f3062bb5f2b58e02d610333a77ed0d7facdb41092b7afebb2a5c797df1efb11694466c60f2f74ba02becfb18de00bbfe75b09295d58df

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\ckgtbtwt.exe

Filesize
43KB

MD5
ae60b99028db279c6390f8eab9ce79a4

SHA1
0843819beacc2c24bfd2625d45ddc7e3562aa89c

SHA256
190da17f9a99ede5204358c88015a70286f7cfd44729b5453f0c40b3a951833c

SHA512
0016197fc7421e628fca1e17672f4b06531c5a2f90799a1969226c9e251e3aabf1f48a0a7ffd6d8c64e350e0dcce5df1dceeee9d9075911f596ea40ffc5bf347

Download Submit
\Windows\SysWOW64\ckgtbtwt.exe

Filesize
59KB

MD5
9fed648457934b36e931bf6c25b8ffe1

SHA1
54a223a65ca28fd2ddac97db2562465d63adc465

SHA256
a318f5e2cd1f781b5fdf9c70e2c4e9aae5261acd376cf4a901245dbfb5cabf37

SHA512
38e3f077e2953a78648071d17bd64a3937d3b60e9581712078cab5e849458359df3e3a8472cd3c78669731c62c3e3e65062f8a8f66590961738332c3f5cdec69

Download Submit
\Windows\SysWOW64\ctetnusaputeptn.exe

Filesize
87KB

MD5
fa49f1a4dcfbe493ae39186b321fe1a7

SHA1
28e37ac54e53ea0e1ebd4d385335555a600bb660

SHA256
23d33200140a424b5812add46b927abb4017416260e8635b00d591755490244a

SHA512
6bae22bb5a14edfc8fe538d9cbed040b28c0a240437ad738eff823a53b22888b26ff57f3ab25bea14f38d88a2e38a32857a84578c9e9ee8ebdd94416622286e6

Download Submit
\Windows\SysWOW64\jnsqzrxica.exe

Filesize
52KB

MD5
3be53aa0f1eb0ddf64cf5e5c463155eb

SHA1
c3177da576adba3cd67855a4b2457bb0c566c9f5

SHA256
76b5e0e7fd5094148613ec953d55bf3a13c50ff7d04334f5705585285926dddb

SHA512
1271d8eede5fc94bb6a101cb38a030c52af3fb4166d86c097cbfe21cbac67128c5ff2ddbad9657ed0b8f03f3acfeca905e8ba07e015e749f5b5b331e867c2bd6

Download Submit
\Windows\SysWOW64\kfdgfnimxqduo.exe

Filesize
96KB

MD5
53579c6278a5520ccd08988275177b33

SHA1
309831f141239f411ccebd9b8a45ea1ca9281c72

SHA256
271a5618b20428bd256b51de1a7102f773928cbb3f2a986e5010528de5ad9989

SHA512
316f43b42cef1f04aa983dbe36cc29f60d7ff322bbf5e422d81d1a84e370706c1b4757603b00209b2e34128cb82ed449041e3710982094c9afed9fa0c05bb026

Download Submit
memory/2608-47-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2608-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2608-45-0x000000002F5C1000-0x000000002F5C2000-memory.dmp

Filesize
4KB

Download
memory/2608-76-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/2608-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2932-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download