b3db3a2d7648aa94616e60e2d17ba63818a73127cdda7f53eaf901c0a258dadd

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

560d6cd1b5204f3ed86260fcbbd12665.exe
Size

512KB
MD5

560d6cd1b5204f3ed86260fcbbd12665
SHA1

b17b2cfe9380688340d92545c84817d693adce88
SHA256

b3db3a2d7648aa94616e60e2d17ba63818a73127cdda7f53eaf901c0a258dadd
SHA512

4863b5c0390fa4315891d906820fcc76ff9dfb8921ea00ad2f0a5bee3fce8681fad5923fb4a3ac9ba3e28feff8e84b28fb44f9efea48d3423000c04285441481
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6f:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	hbxkairrhc.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	hbxkairrhc.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	hbxkairrhc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	hbxkairrhc.exe

Executes dropped EXE 5 IoCs

pid	Process
2668	hbxkairrhc.exe
2800	ifgjsfcekxhketw.exe
2776	lwnkwujt.exe
3016	ccetglqjwqmfi.exe
2564	lwnkwujt.exe

Loads dropped DLL 5 IoCs

pid	Process
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
2668	hbxkairrhc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	hbxkairrhc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sriqraqx = "hbxkairrhc.exe"	ifgjsfcekxhketw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvfvvfqi = "ifgjsfcekxhketw.exe"	ifgjsfcekxhketw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ccetglqjwqmfi.exe"	ifgjsfcekxhketw.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	lwnkwujt.exe
File opened (read-only)	\??\v:	lwnkwujt.exe
File opened (read-only)	\??\l:	hbxkairrhc.exe
File opened (read-only)	\??\n:	hbxkairrhc.exe
File opened (read-only)	\??\q:	hbxkairrhc.exe
File opened (read-only)	\??\z:	hbxkairrhc.exe
File opened (read-only)	\??\l:	lwnkwujt.exe
File opened (read-only)	\??\p:	lwnkwujt.exe
File opened (read-only)	\??\b:	lwnkwujt.exe
File opened (read-only)	\??\s:	lwnkwujt.exe
File opened (read-only)	\??\y:	lwnkwujt.exe
File opened (read-only)	\??\i:	lwnkwujt.exe
File opened (read-only)	\??\o:	hbxkairrhc.exe
File opened (read-only)	\??\r:	hbxkairrhc.exe
File opened (read-only)	\??\u:	hbxkairrhc.exe
File opened (read-only)	\??\v:	lwnkwujt.exe
File opened (read-only)	\??\z:	lwnkwujt.exe
File opened (read-only)	\??\w:	lwnkwujt.exe
File opened (read-only)	\??\g:	lwnkwujt.exe
File opened (read-only)	\??\b:	lwnkwujt.exe
File opened (read-only)	\??\g:	lwnkwujt.exe
File opened (read-only)	\??\j:	hbxkairrhc.exe
File opened (read-only)	\??\i:	lwnkwujt.exe
File opened (read-only)	\??\o:	lwnkwujt.exe
File opened (read-only)	\??\h:	lwnkwujt.exe
File opened (read-only)	\??\r:	lwnkwujt.exe
File opened (read-only)	\??\t:	lwnkwujt.exe
File opened (read-only)	\??\e:	lwnkwujt.exe
File opened (read-only)	\??\n:	lwnkwujt.exe
File opened (read-only)	\??\r:	lwnkwujt.exe
File opened (read-only)	\??\y:	lwnkwujt.exe
File opened (read-only)	\??\b:	hbxkairrhc.exe
File opened (read-only)	\??\k:	lwnkwujt.exe
File opened (read-only)	\??\k:	hbxkairrhc.exe
File opened (read-only)	\??\n:	lwnkwujt.exe
File opened (read-only)	\??\l:	lwnkwujt.exe
File opened (read-only)	\??\a:	hbxkairrhc.exe
File opened (read-only)	\??\h:	hbxkairrhc.exe
File opened (read-only)	\??\i:	hbxkairrhc.exe
File opened (read-only)	\??\v:	hbxkairrhc.exe
File opened (read-only)	\??\j:	lwnkwujt.exe
File opened (read-only)	\??\t:	lwnkwujt.exe
File opened (read-only)	\??\e:	lwnkwujt.exe
File opened (read-only)	\??\h:	lwnkwujt.exe
File opened (read-only)	\??\m:	lwnkwujt.exe
File opened (read-only)	\??\u:	lwnkwujt.exe
File opened (read-only)	\??\w:	hbxkairrhc.exe
File opened (read-only)	\??\y:	hbxkairrhc.exe
File opened (read-only)	\??\q:	lwnkwujt.exe
File opened (read-only)	\??\u:	lwnkwujt.exe
File opened (read-only)	\??\w:	lwnkwujt.exe
File opened (read-only)	\??\s:	lwnkwujt.exe
File opened (read-only)	\??\z:	lwnkwujt.exe
File opened (read-only)	\??\e:	hbxkairrhc.exe
File opened (read-only)	\??\g:	hbxkairrhc.exe
File opened (read-only)	\??\s:	hbxkairrhc.exe
File opened (read-only)	\??\t:	hbxkairrhc.exe
File opened (read-only)	\??\x:	lwnkwujt.exe
File opened (read-only)	\??\a:	lwnkwujt.exe
File opened (read-only)	\??\x:	lwnkwujt.exe
File opened (read-only)	\??\m:	hbxkairrhc.exe
File opened (read-only)	\??\j:	lwnkwujt.exe
File opened (read-only)	\??\x:	hbxkairrhc.exe
File opened (read-only)	\??\a:	lwnkwujt.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	hbxkairrhc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	hbxkairrhc.exe

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1996-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000012270-5.dat	autoit_exe
behavioral1/files/0x000a000000012256-17.dat	autoit_exe
behavioral1/files/0x0009000000012270-25.dat	autoit_exe
behavioral1/files/0x0031000000016ced-28.dat	autoit_exe
behavioral1/files/0x000a000000012256-27.dat	autoit_exe
behavioral1/files/0x0031000000016ced-30.dat	autoit_exe
behavioral1/files/0x0007000000016d33-35.dat	autoit_exe
behavioral1/files/0x000500000001946b-70.dat	autoit_exe
behavioral1/files/0x0005000000019485-77.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\hbxkairrhc.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File opened for modification	C:\Windows\SysWOW64\hbxkairrhc.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File created	C:\Windows\SysWOW64\ifgjsfcekxhketw.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File created	C:\Windows\SysWOW64\lwnkwujt.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File opened for modification	C:\Windows\SysWOW64\lwnkwujt.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File created	C:\Windows\SysWOW64\ccetglqjwqmfi.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File opened for modification	C:\Windows\SysWOW64\ifgjsfcekxhketw.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File opened for modification	C:\Windows\SysWOW64\ccetglqjwqmfi.exe	560d6cd1b5204f3ed86260fcbbd12665.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	hbxkairrhc.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lwnkwujt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	lwnkwujt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	lwnkwujt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lwnkwujt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lwnkwujt.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	lwnkwujt.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lwnkwujt.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	lwnkwujt.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	560d6cd1b5204f3ed86260fcbbd12665.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	hbxkairrhc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABCFAC9F96AF19384083B4786983994B0FB03FC43600332E1CB459D09D4"	560d6cd1b5204f3ed86260fcbbd12665.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	hbxkairrhc.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C7A9D2183546A4676A077242DDC7D8664DA"	560d6cd1b5204f3ed86260fcbbd12665.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184CC70C15E4DBC4B9B97CE2EC9F34B9"	560d6cd1b5204f3ed86260fcbbd12665.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	hbxkairrhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2684	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2800	ifgjsfcekxhketw.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
1996	560d6cd1b5204f3ed86260fcbbd12665.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2668	hbxkairrhc.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2800	ifgjsfcekxhketw.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
2776	lwnkwujt.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
3016	ccetglqjwqmfi.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe
2564	lwnkwujt.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	WINWORD.EXE
2684	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2668	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	28
PID 1996 wrote to memory of 2668	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	28
PID 1996 wrote to memory of 2668	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	28
PID 1996 wrote to memory of 2668	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	28
PID 1996 wrote to memory of 2800	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	29
PID 1996 wrote to memory of 2800	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	29
PID 1996 wrote to memory of 2800	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	29
PID 1996 wrote to memory of 2800	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	29
PID 1996 wrote to memory of 2776	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	30
PID 1996 wrote to memory of 2776	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	30
PID 1996 wrote to memory of 2776	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	30
PID 1996 wrote to memory of 2776	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	30
PID 1996 wrote to memory of 3016	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	31
PID 1996 wrote to memory of 3016	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	31
PID 1996 wrote to memory of 3016	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	31
PID 1996 wrote to memory of 3016	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	31
PID 2668 wrote to memory of 2564	2668	hbxkairrhc.exe	32
PID 2668 wrote to memory of 2564	2668	hbxkairrhc.exe	32
PID 2668 wrote to memory of 2564	2668	hbxkairrhc.exe	32
PID 2668 wrote to memory of 2564	2668	hbxkairrhc.exe	32
PID 1996 wrote to memory of 2684	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	33
PID 1996 wrote to memory of 2684	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	33
PID 1996 wrote to memory of 2684	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	33
PID 1996 wrote to memory of 2684	1996	560d6cd1b5204f3ed86260fcbbd12665.exe	33
PID 2684 wrote to memory of 596	2684	WINWORD.EXE	37
PID 2684 wrote to memory of 596	2684	WINWORD.EXE	37
PID 2684 wrote to memory of 596	2684	WINWORD.EXE	37
PID 2684 wrote to memory of 596	2684	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\560d6cd1b5204f3ed86260fcbbd12665.exe
"C:\Users\Admin\AppData\Local\Temp\560d6cd1b5204f3ed86260fcbbd12665.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\hbxkairrhc.exe
  hbxkairrhc.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\lwnkwujt.exe
    C:\Windows\system32\lwnkwujt.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2564
- C:\Windows\SysWOW64\ifgjsfcekxhketw.exe
  ifgjsfcekxhketw.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2800
- C:\Windows\SysWOW64\lwnkwujt.exe
  lwnkwujt.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2776
- C:\Windows\SysWOW64\ccetglqjwqmfi.exe
  ccetglqjwqmfi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3016
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
f7867e91f6c468d8cc57550578c7b5c7

SHA1
24c9f63aa9f0ec8516e809ddb34c2ad2cc4cb1a3

SHA256
00ff4bae4d85a563cf78611fb3b275c9aaa166b42556980bc56375bece56fa82

SHA512
9a53259f92b30f781a7f8f0309a270d3734327ef850ffa338a2c180cec8ac6ebc68aa96096e7126e7f54022e28624ea5077cda668f2883f8f24c291c0e94fbc9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
79af85e27b0d069077704f2870c9cfe5

SHA1
de447cb08374c9c30724bad6e3fb325097069b9a

SHA256
259dc80e1a7854aadc591eb209d30e8a40fadd72da2381e5932b7f6c146fc49d

SHA512
50980ae96a57ce6b570b20c8a241f1e4d0319bfe80d1aa430ee667297b1bee1798fb06703c5cc5ac808f40eb148867610f334d06eef6b3bb4f27203558df1081

Download Submit
C:\Users\Admin\Desktop\ProtectTest.doc.exe

Filesize
512KB

MD5
f4facc20a02cf58016fe0d54015b65da

SHA1
58e11bad317d74307a2660a36abb0726bf9be238

SHA256
d88ca7e2f6d9b8bd569a606437c30c936b4f97bd040978c8273bbc1025a21b60

SHA512
a6a4f8a1cbedf42bbe4bda4dc08fb230a1128d6ee96c97cf5a5a0769726b8c96ddead6db2ba5895999a595d10c1cad9bfccb13cbf77127aaa5b7ce0fd41c9d85

Download Submit
C:\Windows\SysWOW64\ifgjsfcekxhketw.exe

Filesize
320KB

MD5
40eccbf82b7b8fc916befc4f91646a41

SHA1
9b26728b4c732bfeb504f70ab523d90def972d37

SHA256
1dc118e41bf637830be03d9bfe6d57960cf8dc9dbe9c8302a78e3406285bbaaa

SHA512
4714d4a188098bfac7feb042ef4c6f0236e826c335c740df7f47d60f0e70d50c5eeaf73e1b94afb0408bd8c6b5ef6fa9d49577a6ac214ce115f4b6db0b341cdf

Download Submit
C:\Windows\SysWOW64\ifgjsfcekxhketw.exe

Filesize
512KB

MD5
47812488812f980bd8529b048dcd6ff1

SHA1
aec7f598ce007b7213353da8b395c883712584ec

SHA256
fab2bbf7011b6f7869128e03cf3044a9cad0b6228c9e2695ba05d4cae8f20bde

SHA512
c93c3f63b6507617e8952919eb3c9d6371ff228de130b5f8e40af1951608f4d2bed68abe6a94d78f8c877a8f5a4bfc88e0e3797de4133c6e3442b83bbe9ab44f

Download Submit
C:\Windows\SysWOW64\lwnkwujt.exe

Filesize
512KB

MD5
791af821ab647d2b3527c84a387a3e32

SHA1
8ca3147092146873016b977e5e9dc8788da5b2d2

SHA256
8aa0009cbf7f1040acc9d0441da98dfb00a868698d0268e848572a1f6101a606

SHA512
905f045c240fbc0b5a96c7096331a452abfab83094afb38b593b50c067da3c8103e00214f286462670b2c30883d000011a0c3011daa53d39cc749ae049640e95

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\ccetglqjwqmfi.exe

Filesize
512KB

MD5
8c79c44ba155e16f643ee4ed54e1affe

SHA1
527849bb781fd58e476ef840643e2d2be87a5d4a

SHA256
d0e63839951b5eded6d59ff13078c875869bbbeb304ab862be3f1851ae516928

SHA512
ab009a70a7bed4945022fa84c0f6eb1584982b0da5c7debe0d26ca6373e23f1f0fc74364bf00d098323f6a6964f231da7d9ef7be1102e7518254d893e890ffdf

Download Submit
\Windows\SysWOW64\hbxkairrhc.exe

Filesize
512KB

MD5
b2d9b02e2911df35c7897462cc0e7602

SHA1
d7a06a31a8835bbea01b3fe162d827d09a231139

SHA256
eecbd62a07b881beb18f8d3e0c459519eb6823a4f9c85e131722bce4038295cd

SHA512
fe2cce8b0a7e6f3299d0ecc9ba20f79a0fc4007e4fb77bc40e5588889facf37f2c90c6e7b6462ab902bb4aa5494f626b54cd151c9510682cd8012c9a159a3fdd

Download Submit
\Windows\SysWOW64\lwnkwujt.exe

Filesize
240KB

MD5
182f2c381497b32551c30335d17bcb68

SHA1
95e1bdd2f9669abbba11f275ebb04b1b6efafa93

SHA256
f0ef74a0eaf5d6acfb5d79fe1d2cc7c633645692dc6fa5dc4a0f0cc9d8296b08

SHA512
0240a7ac458f1e018e8072a08d0621763b9cdcb0121b355517b403d114b7b300408888e462d3fa27157de66d2620649a00310c619d0448b3214cc7c771f94be0

Download Submit
memory/1996-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2684-45-0x000000002F0F1000-0x000000002F0F2000-memory.dmp

Filesize
4KB

Download
memory/2684-65-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download
memory/2684-47-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download
memory/2684-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-99-0x000000007171D000-0x0000000071728000-memory.dmp

Filesize
44KB

Download