464a5697ee6a51a31ce135f954a7d65105eeeb28a9f5f9f29f3c02a1c7c17623

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df7e7e09adce9b3f4b523923d8e21f3.exe
Size

512KB
MD5

4df7e7e09adce9b3f4b523923d8e21f3
SHA1

1b86839a4bc5b385014967c395df0c306221c91b
SHA256

464a5697ee6a51a31ce135f954a7d65105eeeb28a9f5f9f29f3c02a1c7c17623
SHA512

25cc24ff3f0ec29f3ecab3e0ac562a363dc43ecb077eea7c59c5276e867881253ba79da36b6f653753ef9b3ed5cd6777c83a1d4ae21b2c1ee1ffedb7a9dd3cae
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6Q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5p

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	evotkngmnf.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	evotkngmnf.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	evotkngmnf.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	evotkngmnf.exe

Executes dropped EXE 5 IoCs

pid	Process
2808	evotkngmnf.exe
2884	vgohhhonduhrqkf.exe
2160	npiqgzcw.exe
2828	jpsurxgpygbqb.exe
2584	npiqgzcw.exe

Loads dropped DLL 5 IoCs

pid	Process
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
2808	evotkngmnf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	evotkngmnf.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\johhfeuh = "evotkngmnf.exe"	vgohhhonduhrqkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sbaeoaem = "vgohhhonduhrqkf.exe"	vgohhhonduhrqkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "jpsurxgpygbqb.exe"	vgohhhonduhrqkf.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\w:	evotkngmnf.exe
File opened (read-only)	\??\o:	npiqgzcw.exe
File opened (read-only)	\??\h:	npiqgzcw.exe
File opened (read-only)	\??\m:	npiqgzcw.exe
File opened (read-only)	\??\k:	evotkngmnf.exe
File opened (read-only)	\??\g:	evotkngmnf.exe
File opened (read-only)	\??\l:	evotkngmnf.exe
File opened (read-only)	\??\m:	npiqgzcw.exe
File opened (read-only)	\??\a:	npiqgzcw.exe
File opened (read-only)	\??\j:	npiqgzcw.exe
File opened (read-only)	\??\x:	npiqgzcw.exe
File opened (read-only)	\??\y:	npiqgzcw.exe
File opened (read-only)	\??\q:	evotkngmnf.exe
File opened (read-only)	\??\n:	npiqgzcw.exe
File opened (read-only)	\??\r:	npiqgzcw.exe
File opened (read-only)	\??\z:	npiqgzcw.exe
File opened (read-only)	\??\b:	npiqgzcw.exe
File opened (read-only)	\??\n:	npiqgzcw.exe
File opened (read-only)	\??\t:	npiqgzcw.exe
File opened (read-only)	\??\p:	npiqgzcw.exe
File opened (read-only)	\??\p:	npiqgzcw.exe
File opened (read-only)	\??\w:	npiqgzcw.exe
File opened (read-only)	\??\p:	evotkngmnf.exe
File opened (read-only)	\??\z:	npiqgzcw.exe
File opened (read-only)	\??\y:	evotkngmnf.exe
File opened (read-only)	\??\u:	npiqgzcw.exe
File opened (read-only)	\??\z:	evotkngmnf.exe
File opened (read-only)	\??\s:	npiqgzcw.exe
File opened (read-only)	\??\e:	npiqgzcw.exe
File opened (read-only)	\??\q:	npiqgzcw.exe
File opened (read-only)	\??\u:	npiqgzcw.exe
File opened (read-only)	\??\b:	evotkngmnf.exe
File opened (read-only)	\??\r:	evotkngmnf.exe
File opened (read-only)	\??\k:	npiqgzcw.exe
File opened (read-only)	\??\w:	npiqgzcw.exe
File opened (read-only)	\??\l:	npiqgzcw.exe
File opened (read-only)	\??\h:	evotkngmnf.exe
File opened (read-only)	\??\n:	evotkngmnf.exe
File opened (read-only)	\??\v:	npiqgzcw.exe
File opened (read-only)	\??\o:	evotkngmnf.exe
File opened (read-only)	\??\t:	evotkngmnf.exe
File opened (read-only)	\??\j:	npiqgzcw.exe
File opened (read-only)	\??\a:	npiqgzcw.exe
File opened (read-only)	\??\g:	npiqgzcw.exe
File opened (read-only)	\??\e:	evotkngmnf.exe
File opened (read-only)	\??\j:	evotkngmnf.exe
File opened (read-only)	\??\s:	evotkngmnf.exe
File opened (read-only)	\??\m:	evotkngmnf.exe
File opened (read-only)	\??\v:	evotkngmnf.exe
File opened (read-only)	\??\h:	npiqgzcw.exe
File opened (read-only)	\??\x:	npiqgzcw.exe
File opened (read-only)	\??\g:	npiqgzcw.exe
File opened (read-only)	\??\a:	evotkngmnf.exe
File opened (read-only)	\??\i:	evotkngmnf.exe
File opened (read-only)	\??\t:	npiqgzcw.exe
File opened (read-only)	\??\r:	npiqgzcw.exe
File opened (read-only)	\??\s:	npiqgzcw.exe
File opened (read-only)	\??\b:	npiqgzcw.exe
File opened (read-only)	\??\y:	npiqgzcw.exe
File opened (read-only)	\??\i:	npiqgzcw.exe
File opened (read-only)	\??\k:	npiqgzcw.exe
File opened (read-only)	\??\x:	evotkngmnf.exe
File opened (read-only)	\??\l:	npiqgzcw.exe
File opened (read-only)	\??\o:	npiqgzcw.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	evotkngmnf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	evotkngmnf.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1740-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0009000000012270-5.dat	autoit_exe
behavioral1/files/0x000800000001222d-17.dat	autoit_exe
behavioral1/files/0x000800000001222d-20.dat	autoit_exe
behavioral1/files/0x000800000001222d-26.dat	autoit_exe
behavioral1/files/0x0009000000012270-29.dat	autoit_exe
behavioral1/files/0x0007000000015c8d-34.dat	autoit_exe
behavioral1/files/0x0007000000015c8d-38.dat	autoit_exe
behavioral1/files/0x0035000000015c38-32.dat	autoit_exe
behavioral1/files/0x0035000000015c38-40.dat	autoit_exe
behavioral1/files/0x0007000000015c8d-41.dat	autoit_exe
behavioral1/files/0x0035000000015c38-28.dat	autoit_exe
behavioral1/files/0x0035000000015c38-43.dat	autoit_exe
behavioral1/files/0x0035000000015c38-42.dat	autoit_exe
behavioral1/files/0x0009000000012270-25.dat	autoit_exe
behavioral1/files/0x0009000000012270-22.dat	autoit_exe
behavioral1/files/0x0006000000016d12-66.dat	autoit_exe
behavioral1/files/0x0006000000016d23-69.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\evotkngmnf.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File opened for modification	C:\Windows\SysWOW64\evotkngmnf.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File created	C:\Windows\SysWOW64\vgohhhonduhrqkf.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File opened for modification	C:\Windows\SysWOW64\vgohhhonduhrqkf.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File created	C:\Windows\SysWOW64\npiqgzcw.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File opened for modification	C:\Windows\SysWOW64\npiqgzcw.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File created	C:\Windows\SysWOW64\jpsurxgpygbqb.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File opened for modification	C:\Windows\SysWOW64\jpsurxgpygbqb.exe	4df7e7e09adce9b3f4b523923d8e21f3.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	evotkngmnf.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npiqgzcw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	npiqgzcw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npiqgzcw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npiqgzcw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	npiqgzcw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	npiqgzcw.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	npiqgzcw.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	npiqgzcw.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	npiqgzcw.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	4df7e7e09adce9b3f4b523923d8e21f3.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "193AC60815E3DABEB8CB7CE5EDE234BD"	4df7e7e09adce9b3f4b523923d8e21f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	evotkngmnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	evotkngmnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	evotkngmnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	evotkngmnf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	4df7e7e09adce9b3f4b523923d8e21f3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	evotkngmnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2656	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2160	npiqgzcw.exe
2160	npiqgzcw.exe
2160	npiqgzcw.exe
2160	npiqgzcw.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2884	vgohhhonduhrqkf.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2160	npiqgzcw.exe
2828	jpsurxgpygbqb.exe
2160	npiqgzcw.exe
2160	npiqgzcw.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
1740	4df7e7e09adce9b3f4b523923d8e21f3.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2808	evotkngmnf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2884	vgohhhonduhrqkf.exe
2160	npiqgzcw.exe
2828	jpsurxgpygbqb.exe
2160	npiqgzcw.exe
2160	npiqgzcw.exe
2828	jpsurxgpygbqb.exe
2828	jpsurxgpygbqb.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe
2584	npiqgzcw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2656	WINWORD.EXE
2656	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2808	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	26
PID 1740 wrote to memory of 2808	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	26
PID 1740 wrote to memory of 2808	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	26
PID 1740 wrote to memory of 2808	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	26
PID 1740 wrote to memory of 2884	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	25
PID 1740 wrote to memory of 2884	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	25
PID 1740 wrote to memory of 2884	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	25
PID 1740 wrote to memory of 2884	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	25
PID 1740 wrote to memory of 2160	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	22
PID 1740 wrote to memory of 2160	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	22
PID 1740 wrote to memory of 2160	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	22
PID 1740 wrote to memory of 2160	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	22
PID 1740 wrote to memory of 2828	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	21
PID 1740 wrote to memory of 2828	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	21
PID 1740 wrote to memory of 2828	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	21
PID 1740 wrote to memory of 2828	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	21
PID 2808 wrote to memory of 2584	2808	evotkngmnf.exe	24
PID 2808 wrote to memory of 2584	2808	evotkngmnf.exe	24
PID 2808 wrote to memory of 2584	2808	evotkngmnf.exe	24
PID 2808 wrote to memory of 2584	2808	evotkngmnf.exe	24
PID 1740 wrote to memory of 2656	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	23
PID 1740 wrote to memory of 2656	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	23
PID 1740 wrote to memory of 2656	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	23
PID 1740 wrote to memory of 2656	1740	4df7e7e09adce9b3f4b523923d8e21f3.exe	23
PID 2656 wrote to memory of 1820	2656	WINWORD.EXE	36
PID 2656 wrote to memory of 1820	2656	WINWORD.EXE	36
PID 2656 wrote to memory of 1820	2656	WINWORD.EXE	36
PID 2656 wrote to memory of 1820	2656	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\4df7e7e09adce9b3f4b523923d8e21f3.exe
"C:\Users\Admin\AppData\Local\Temp\4df7e7e09adce9b3f4b523923d8e21f3.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\jpsurxgpygbqb.exe
  jpsurxgpygbqb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2828
- C:\Windows\SysWOW64\npiqgzcw.exe
  npiqgzcw.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2160
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1820
- C:\Windows\SysWOW64\vgohhhonduhrqkf.exe
  vgohhhonduhrqkf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2884
- C:\Windows\SysWOW64\evotkngmnf.exe
  evotkngmnf.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2808

C:\Windows\SysWOW64\npiqgzcw.exe
C:\Windows\system32\npiqgzcw.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
44KB

MD5
fda35cc5e501f1d0ac5d16048ec954a1

SHA1
66278e41fcdcc049970ba0558ee2ea32537892b8

SHA256
259056c29a34fb6e8668c590c521379f6d3ecb04291621e1cbfdc7d650263f65

SHA512
222a8c0876adeb1d62e0f193cdb2ab87002cbfa072bceddf77334fe9ef15ee3e38949b487fceefe8ec756d85db0041c8cd29f889ea086c979c2e4b1d03af86c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
88KB

MD5
b2b935962a8da70092fea649876c0fb5

SHA1
00bf5bad12014c2c0c3e3cbe2b6672123fa59977

SHA256
8d7c5c0b988b7fe5b4408e3ffd7086c6a729da01c768764f9b659de206b3904d

SHA512
355535acbda7b8c20a1236093c0aa758e45de8806bc8d15a4e732fa27579276b2bf90ac1f6acd51028f0e33fd35bc92d1d7f7e65f64a4886ea2a43e5a3714635

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
d6ac25057584d8865cd6140bb0283fab

SHA1
423ca38cd6bd659903343bf1829605cefb137d01

SHA256
f75fe6650248e3f7d8933dc40ac625babd24808f0d045f2f5d78c84e7fc95bc3

SHA512
6e2dd779c548e32c0181eee65021c1b567f7b97b62188251f4af718f54185e15d026b2a84aa5336c39e15f81f604b04a7caa1c7d6ee98d0b7b74a8cf53a85515

Download Submit
C:\Windows\SysWOW64\evotkngmnf.exe

Filesize
79KB

MD5
c1e1612a0d3c469e183f145d8be9b604

SHA1
52603b616e0e5fa5a15288f9865b9bf204a836e1

SHA256
5259dbf8387fabea44567f84a6bf38a88d1877e59aa2a0474706c43e3821e752

SHA512
9a5dc9787ce16d01515d4d7a19a5bb29489d8245b3464f52badfdb84393cd28695df97846a08d31dc1b4df5a1cc98a3d7129e93432407311a8572a653eec0a07

Download Submit
C:\Windows\SysWOW64\evotkngmnf.exe

Filesize
61KB

MD5
903945976409c246ab2a882f03e6a557

SHA1
b694f231799b1ee0e8db3788355391ab8c00341c

SHA256
9ad1d1cf55b5fc1a6f201e0c74477fb638e9f13abec318c7a6cfbbdfc504aa72

SHA512
67ceec48a02583dcd97fab607cbb17b81b5c22a48660de726e9a28dcc68e89de7f48155dff13c337c5fc9d6014936ff4ae77b45fcbb04d6124bf69db5d121564

Download Submit
C:\Windows\SysWOW64\jpsurxgpygbqb.exe

Filesize
104KB

MD5
a7aeb5cb1810381a79270981f5ae7d85

SHA1
0f06115402115bc81e7a719b330bc1310b38037e

SHA256
1ab886af9448192ef59d568a51a7ac61831026bcd222d1cf8ca82aa4fc0a2e59

SHA512
5b601ee5b46026f0de4591e54ab39837bd90bd41519b54a533ef045cddc1c9227cd548e18559a07abd704d28ddc740d4a6cdd5d3f693e4aaad9eb0c65fbadd31

Download Submit
C:\Windows\SysWOW64\jpsurxgpygbqb.exe

Filesize
140KB

MD5
021479ec52b9978c82be191b86d504ac

SHA1
e10848f14cc35546259b2f0ca196bf6f7ad4f9e3

SHA256
68d202a306d1373b82a58f763ab6731a2660668629a47751d824c72f7d404bf1

SHA512
3d63a5f844b2c90964c855000d8dbb5efbea0bf12a7a3d2e7f28bee6dbb4df67c60b419492377dc34d3867357e7e51d0adab5af5df936688fa9b7d938fe15dac

Download Submit
C:\Windows\SysWOW64\npiqgzcw.exe

Filesize
231KB

MD5
fc0ce95ef0b75a31c4b7f001685b18d8

SHA1
03f3c4635c8ff711e1b29040604fa93ab026cd2f

SHA256
64b50a1a7db0843d6dedfdb352be1095f7ab83aa5c6e9d008ed459c755892194

SHA512
f9bdcb5d35afb203cd926f26cbafbe3de2c162cbd23120ea2f52f75549887fca2b84a6640e563df3da39c7c44c05acbeb2564660b8b04e41c14a79e182618230

Download Submit
C:\Windows\SysWOW64\npiqgzcw.exe

Filesize
50KB

MD5
1daa401cf37a04a3fb2b0e57775d5470

SHA1
35ed1aa4c6d74f5847f5eabff5f0467a0f31c25f

SHA256
a3e5e6f2a2ae807696f3317345d2c5da6deccfe90f41b3baeb7bfc5795661a1d

SHA512
bc5f3d52651ed7d55583f3ee3812075fda082ffcbd246fe48e14acd4a0c2ae9a54f890bd38353a36ac4af33a9766070e90ab0a8ac94e460dccf7dc0f6b437e0a

Download Submit
C:\Windows\SysWOW64\npiqgzcw.exe

Filesize
148KB

MD5
7251537b2682c31b3e2a693731d5221b

SHA1
c712fe9ab9f5ce2ee03bf956f0dbccb5614958b2

SHA256
580da5164d582998b4ca4b40f572f517f8f8401afd6514662c53a04dbe88c660

SHA512
86e60c28bcd46ffdabaeaa9a1f94fd48740cdbf44ad03db9ce320df000bae999a9e7e3b639b107b488e7ad3dbc5e29e82a00caad944b7452e0a3f9fe2c31605d

Download Submit
C:\Windows\SysWOW64\vgohhhonduhrqkf.exe

Filesize
155KB

MD5
e5f4527de843da94d8ecab5edb44ea3f

SHA1
fe9932b23f8db5eeaa7eadc350e255868d9fcc17

SHA256
3be08639ad0112b93176dfeb57ebb7a99d4368a42664dd99775865c7f2110521

SHA512
882016bf839952102efce6dc115dfed9aee447811ba0d057130b836489615598e163c3a358a973dad4c4bea35ee0b90481832058e736bcd2f9e5d275164304db

Download Submit
C:\Windows\SysWOW64\vgohhhonduhrqkf.exe

Filesize
33KB

MD5
a5ef7ba3cab56e378b465a3606f34b39

SHA1
53f2332e1156bccb1c9491feee9ab3a7dec87210

SHA256
d2d46222204de94a06af9eb3ff8312e8b3bed7e8561b0d11ea8cf62a5495b177

SHA512
cd2acbc8151a4a7cdf64b61c4f6f24f378cf393f0b764888c6488c6912cb5b5eca010c6dd7354b10738d6bd1c2adc9f402ff841fbda5e5aa2edb67582596802e

Download Submit
C:\Windows\SysWOW64\vgohhhonduhrqkf.exe

Filesize
29KB

MD5
a91ec506a506306be0131067d3cd7f2c

SHA1
0177d01ec865b39a7bb8bfc6354a62d3854cb995

SHA256
7feb7af97c455592ce66922e780ef2c085382f16f14171fc108e214ecdce0d4e

SHA512
4a8d2d5976e7cfe28f05c40f960e4fb4ecf6916464db4c309f3911d3f18311d05f8f30ec0ec37bd4a7fc65c2e229957becca11faed31c8ce72146365af14dd92

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\evotkngmnf.exe

Filesize
7KB

MD5
b4525ca264b5100c4680a7f71ea4363a

SHA1
eb2e2b08c30e3eaa1ddd401d71496af249b7a2ad

SHA256
9e978f7dce7880fb1c83df8a7aedda73bb9479457159e6569bf9a03fd351c3d3

SHA512
f16185092cb88dca81822199c4f1f3e3b4a9fc68a7df8cc65212ba8e5e7ffa64d949c534f5220743cffeb701624073806c722f99d3459f0c7818e51bdb2b8434

Download Submit
\Windows\SysWOW64\jpsurxgpygbqb.exe

Filesize
1KB

MD5
ec89629d437c17787acc7061c89e753c

SHA1
c65089b32eba1cf75d3546335718073460c971f9

SHA256
87b17909878537f2c3d3bc046f54b9eb382e312fa75d2b177457a978dcc7d83c

SHA512
65f02cc30b64e2c33d7287c135bc0bb20abe1e35c7176a03e47403db3e21da28f7e7ec7a13ef748aeb76ac06e5e159a9b4e62196692c3411459a4ae235a1bec9

Download Submit
\Windows\SysWOW64\npiqgzcw.exe

Filesize
134KB

MD5
1950a1e83fa5a2fb56f9969b8aab0d9d

SHA1
ecc6d6a43b25a5814e504e19105a2143936e9d16

SHA256
8c2996566e70c8c7226bedc6bd67f9b18b89fe47a0e0c436ce27345dd932cfaf

SHA512
8d47efdda8c94f476028589a70aee37155fc693e584bf65965c5fb0da54f0cdb18d5fbf946e41c6f7606af907aea2744a54a9e6f149e848808370600f1d0ea04

Download Submit
\Windows\SysWOW64\npiqgzcw.exe

Filesize
169KB

MD5
e0f1967fe7e3081f63ada7199e720c42

SHA1
6e12433bc503a7ad0c2be3b1436388b9875d5ab5

SHA256
b02ad72c8d40aa973fffd240d1a8e875b29798afe77f31b5576cfa529d57c779

SHA512
5cb6d4f1e3203959b8eb0b9c016ebc76d08d7afd221dcc343aa00ef9822f3ba3056338c07b956170bbe58dcaaabb149202900bb08a738ae3f947bf2b12cb1952

Download Submit
\Windows\SysWOW64\vgohhhonduhrqkf.exe

Filesize
326KB

MD5
445c301017b5028073c3288c1436748f

SHA1
78d1e2ea4f66eb9cb6209b9174327f041449128e

SHA256
cc29ba802a72a6eae0fcc4211244a2574f262522627ede2dccee1ba71589d77b

SHA512
dda6d8335d0be40911f314845edc4ab7d90ffae46df7b4213caf33fe831c09f70f56be52aac07290f162b60d3ef99c19f939c56d0163c8dc58bd119c60a77d06

Download Submit
memory/1740-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2656-47-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download
memory/2656-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2656-45-0x000000002FFF1000-0x000000002FFF2000-memory.dmp

Filesize
4KB

Download
memory/2656-77-0x00000000710AD000-0x00000000710B8000-memory.dmp

Filesize
44KB

Download
memory/2656-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download