aacbdfd9dc2795c02ae6f49f1c140886a91b45af90fabe26c80a65622f103a89

Analysis

max time kernel
152s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c6931c7e8b35b15b7f4745f96494051e.exe
Size

512KB
MD5

c6931c7e8b35b15b7f4745f96494051e
SHA1

749e428d898dc4c43728ac1a1d9c7573e028e4ed
SHA256

aacbdfd9dc2795c02ae6f49f1c140886a91b45af90fabe26c80a65622f103a89
SHA512

d2d7c50da7840f19f9f907ac30ea15fcb633b3ad94359e72fdcaa35f7a69071d3447f889a18a64e47efc379374037601ceedce0cdb62ea8c88f2d26fea47d6aa
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6c:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5v

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csjtexkana.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csjtexkana.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	csjtexkana.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csjtexkana.exe

Executes dropped EXE 5 IoCs

pid	Process
2484	csjtexkana.exe
2932	zjpinnzlbkaziig.exe
2860	inmrtvue.exe
2524	mfbihrciaocoq.exe
2472	inmrtvue.exe

Loads dropped DLL 5 IoCs

pid	Process
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2484	csjtexkana.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	csjtexkana.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\dwwywnfs = "csjtexkana.exe"	zjpinnzlbkaziig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhrxcrwc = "zjpinnzlbkaziig.exe"	zjpinnzlbkaziig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mfbihrciaocoq.exe"	zjpinnzlbkaziig.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	inmrtvue.exe
File opened (read-only)	\??\j:	inmrtvue.exe
File opened (read-only)	\??\a:	csjtexkana.exe
File opened (read-only)	\??\b:	csjtexkana.exe
File opened (read-only)	\??\i:	csjtexkana.exe
File opened (read-only)	\??\z:	csjtexkana.exe
File opened (read-only)	\??\w:	csjtexkana.exe
File opened (read-only)	\??\z:	inmrtvue.exe
File opened (read-only)	\??\k:	inmrtvue.exe
File opened (read-only)	\??\s:	inmrtvue.exe
File opened (read-only)	\??\t:	inmrtvue.exe
File opened (read-only)	\??\h:	csjtexkana.exe
File opened (read-only)	\??\s:	csjtexkana.exe
File opened (read-only)	\??\l:	inmrtvue.exe
File opened (read-only)	\??\b:	inmrtvue.exe
File opened (read-only)	\??\t:	inmrtvue.exe
File opened (read-only)	\??\x:	inmrtvue.exe
File opened (read-only)	\??\r:	inmrtvue.exe
File opened (read-only)	\??\j:	csjtexkana.exe
File opened (read-only)	\??\x:	csjtexkana.exe
File opened (read-only)	\??\o:	inmrtvue.exe
File opened (read-only)	\??\v:	inmrtvue.exe
File opened (read-only)	\??\o:	inmrtvue.exe
File opened (read-only)	\??\k:	csjtexkana.exe
File opened (read-only)	\??\p:	csjtexkana.exe
File opened (read-only)	\??\s:	inmrtvue.exe
File opened (read-only)	\??\e:	inmrtvue.exe
File opened (read-only)	\??\i:	inmrtvue.exe
File opened (read-only)	\??\a:	inmrtvue.exe
File opened (read-only)	\??\v:	inmrtvue.exe
File opened (read-only)	\??\e:	csjtexkana.exe
File opened (read-only)	\??\q:	csjtexkana.exe
File opened (read-only)	\??\y:	csjtexkana.exe
File opened (read-only)	\??\o:	csjtexkana.exe
File opened (read-only)	\??\h:	inmrtvue.exe
File opened (read-only)	\??\j:	inmrtvue.exe
File opened (read-only)	\??\b:	inmrtvue.exe
File opened (read-only)	\??\g:	inmrtvue.exe
File opened (read-only)	\??\n:	inmrtvue.exe
File opened (read-only)	\??\u:	inmrtvue.exe
File opened (read-only)	\??\n:	csjtexkana.exe
File opened (read-only)	\??\k:	inmrtvue.exe
File opened (read-only)	\??\y:	inmrtvue.exe
File opened (read-only)	\??\a:	inmrtvue.exe
File opened (read-only)	\??\l:	inmrtvue.exe
File opened (read-only)	\??\r:	inmrtvue.exe
File opened (read-only)	\??\g:	csjtexkana.exe
File opened (read-only)	\??\v:	csjtexkana.exe
File opened (read-only)	\??\m:	inmrtvue.exe
File opened (read-only)	\??\q:	inmrtvue.exe
File opened (read-only)	\??\y:	inmrtvue.exe
File opened (read-only)	\??\t:	csjtexkana.exe
File opened (read-only)	\??\e:	inmrtvue.exe
File opened (read-only)	\??\x:	inmrtvue.exe
File opened (read-only)	\??\u:	csjtexkana.exe
File opened (read-only)	\??\m:	inmrtvue.exe
File opened (read-only)	\??\p:	inmrtvue.exe
File opened (read-only)	\??\w:	inmrtvue.exe
File opened (read-only)	\??\m:	csjtexkana.exe
File opened (read-only)	\??\q:	inmrtvue.exe
File opened (read-only)	\??\w:	inmrtvue.exe
File opened (read-only)	\??\u:	inmrtvue.exe
File opened (read-only)	\??\i:	inmrtvue.exe
File opened (read-only)	\??\l:	csjtexkana.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	csjtexkana.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	csjtexkana.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x0008000000012249-5.dat	autoit_exe
behavioral1/files/0x000c000000012245-17.dat	autoit_exe
behavioral1/files/0x0008000000012249-22.dat	autoit_exe
behavioral1/files/0x002800000001390b-28.dat	autoit_exe
behavioral1/files/0x0008000000013aa6-38.dat	autoit_exe
behavioral1/files/0x00070000000155e6-71.dat	autoit_exe
behavioral1/files/0x0007000000015627-75.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\csjtexkana.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File created	C:\Windows\SysWOW64\zjpinnzlbkaziig.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File opened for modification	C:\Windows\SysWOW64\zjpinnzlbkaziig.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File created	C:\Windows\SysWOW64\inmrtvue.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File created	C:\Windows\SysWOW64\mfbihrciaocoq.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csjtexkana.exe
File created	C:\Windows\SysWOW64\csjtexkana.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File opened for modification	C:\Windows\SysWOW64\inmrtvue.exe	c6931c7e8b35b15b7f4745f96494051e.exe
File opened for modification	C:\Windows\SysWOW64\mfbihrciaocoq.exe	c6931c7e8b35b15b7f4745f96494051e.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	inmrtvue.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	inmrtvue.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	inmrtvue.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	inmrtvue.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	inmrtvue.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	inmrtvue.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	inmrtvue.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	inmrtvue.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	c6931c7e8b35b15b7f4745f96494051e.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	csjtexkana.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile"	csjtexkana.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	csjtexkana.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC2B15D47E3389952CAB9D433E9D7B8"	c6931c7e8b35b15b7f4745f96494051e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33402D7B9C2382206A4277A770562CDF7D8064D8"	c6931c7e8b35b15b7f4745f96494051e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABEFE14F190837E3B3081EA39E4B08D02FF43690233E1BE42E908D4"	c6931c7e8b35b15b7f4745f96494051e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	csjtexkana.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	c6931c7e8b35b15b7f4745f96494051e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsc	csjtexkana.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2660	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2472	inmrtvue.exe
2472	inmrtvue.exe
2472	inmrtvue.exe
2472	inmrtvue.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2932	zjpinnzlbkaziig.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2472	inmrtvue.exe
2472	inmrtvue.exe
2472	inmrtvue.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2208	c6931c7e8b35b15b7f4745f96494051e.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2484	csjtexkana.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2932	zjpinnzlbkaziig.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2860	inmrtvue.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2524	mfbihrciaocoq.exe
2472	inmrtvue.exe
2472	inmrtvue.exe
2472	inmrtvue.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2660	WINWORD.EXE
2660	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2484	2208	c6931c7e8b35b15b7f4745f96494051e.exe	28
PID 2208 wrote to memory of 2484	2208	c6931c7e8b35b15b7f4745f96494051e.exe	28
PID 2208 wrote to memory of 2484	2208	c6931c7e8b35b15b7f4745f96494051e.exe	28
PID 2208 wrote to memory of 2484	2208	c6931c7e8b35b15b7f4745f96494051e.exe	28
PID 2208 wrote to memory of 2932	2208	c6931c7e8b35b15b7f4745f96494051e.exe	29
PID 2208 wrote to memory of 2932	2208	c6931c7e8b35b15b7f4745f96494051e.exe	29
PID 2208 wrote to memory of 2932	2208	c6931c7e8b35b15b7f4745f96494051e.exe	29
PID 2208 wrote to memory of 2932	2208	c6931c7e8b35b15b7f4745f96494051e.exe	29
PID 2208 wrote to memory of 2860	2208	c6931c7e8b35b15b7f4745f96494051e.exe	30
PID 2208 wrote to memory of 2860	2208	c6931c7e8b35b15b7f4745f96494051e.exe	30
PID 2208 wrote to memory of 2860	2208	c6931c7e8b35b15b7f4745f96494051e.exe	30
PID 2208 wrote to memory of 2860	2208	c6931c7e8b35b15b7f4745f96494051e.exe	30
PID 2208 wrote to memory of 2524	2208	c6931c7e8b35b15b7f4745f96494051e.exe	31
PID 2208 wrote to memory of 2524	2208	c6931c7e8b35b15b7f4745f96494051e.exe	31
PID 2208 wrote to memory of 2524	2208	c6931c7e8b35b15b7f4745f96494051e.exe	31
PID 2208 wrote to memory of 2524	2208	c6931c7e8b35b15b7f4745f96494051e.exe	31
PID 2484 wrote to memory of 2472	2484	csjtexkana.exe	32
PID 2484 wrote to memory of 2472	2484	csjtexkana.exe	32
PID 2484 wrote to memory of 2472	2484	csjtexkana.exe	32
PID 2484 wrote to memory of 2472	2484	csjtexkana.exe	32
PID 2208 wrote to memory of 2660	2208	c6931c7e8b35b15b7f4745f96494051e.exe	33
PID 2208 wrote to memory of 2660	2208	c6931c7e8b35b15b7f4745f96494051e.exe	33
PID 2208 wrote to memory of 2660	2208	c6931c7e8b35b15b7f4745f96494051e.exe	33
PID 2208 wrote to memory of 2660	2208	c6931c7e8b35b15b7f4745f96494051e.exe	33
PID 2660 wrote to memory of 1076	2660	WINWORD.EXE	37
PID 2660 wrote to memory of 1076	2660	WINWORD.EXE	37
PID 2660 wrote to memory of 1076	2660	WINWORD.EXE	37
PID 2660 wrote to memory of 1076	2660	WINWORD.EXE	37

C:\Users\Admin\AppData\Local\Temp\c6931c7e8b35b15b7f4745f96494051e.exe
"C:\Users\Admin\AppData\Local\Temp\c6931c7e8b35b15b7f4745f96494051e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\csjtexkana.exe
  csjtexkana.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\inmrtvue.exe
    C:\Windows\system32\inmrtvue.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2472
- C:\Windows\SysWOW64\zjpinnzlbkaziig.exe
  zjpinnzlbkaziig.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2932
- C:\Windows\SysWOW64\inmrtvue.exe
  inmrtvue.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2860
- C:\Windows\SysWOW64\mfbihrciaocoq.exe
  mfbihrciaocoq.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2524
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
0ec23f2bca98cde27ab616054ba0d424

SHA1
3e9db51c14f7928385aca3d68b8f7f9eb09d9a7f

SHA256
73f73ee44b8e98a9a1b18ecc6242da14064d9f7770ce392604db3b3d32299a1a

SHA512
bf627f3b9d84f9ee7557d325ba0b07632716505dc1bc16a25daa072a895109b1ccedf1c3b218bace9778bccb9913a69480cb50887de0b2c6535d2011a957eff5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
fb5803865766de68a3df63603b56c415

SHA1
ce5d4b858dad1b44a44ba4f623ff893bf6b16045

SHA256
5ecb63dc3dfb375c03fcd68e705cab77fd8191e64b1ff73f86de24577885b22d

SHA512
026e83dae0a1737e85fbdeb815d55087c2dab9a7d1ef6b42c58d5db1d281b47bb24af829731b5f453418d30754f3ee08b1d2d430660d0585bfd70d080123c7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
0e30ed389f3b3acf685645a1bee2b187

SHA1
0a2f6a8c6be6d28a98ffebdfe47f09bdc9651fd7

SHA256
3bffde9841bd3ef1e3aa1a99779211a9578579f54ff892320730ead127f41802

SHA512
b0762a96b70aff3c46e3f0dae529ab1ac4ebbbdbe8bba59c607bab0676d1e009772c4e42f7af8be6d1f4cb0bc2bdf8374c0634ca510f8e129b6b07918850622a

Download Submit
C:\Windows\SysWOW64\mfbihrciaocoq.exe

Filesize
512KB

MD5
f140825d48b306d4ff381dc1062ab85e

SHA1
a1e175ad01fa36559937d446d5568a5e482a7168

SHA256
08fef66b74236f67958736368e72bfc986d450522335b2f75abcb6052b20d3fd

SHA512
471256b7187eabc3860a617d5fa3183ed65ec3e98a7920f086c06063d0b12ea2948d8c49cec8faed484effcd4b866c48123d146d19cd7c2d9829a67909f3c8f5

Download Submit
C:\Windows\SysWOW64\zjpinnzlbkaziig.exe

Filesize
85KB

MD5
27623bf17711551baa843bbab18a4b07

SHA1
2d6d50bab42c5defdd9bdf3f14fb826853558392

SHA256
6a2c1908feaaa4585f579f19881c7fec6c64bfe38500306f55eaeb5fa0a7b368

SHA512
53f01abdb0a6c91cedd6e7bb705ad27f9dfc89722bd6bb07ad9df87ff00ca5c9fc6764706ab6edc018fd90f519cf4d12af670416b3fff7cee5e6aca87e9f153b

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\csjtexkana.exe

Filesize
512KB

MD5
38f9656fd94cffeae89860f3f9327409

SHA1
b2a882283f1707914d7c00e58c7845b1464e3d46

SHA256
af20da8ffac9dfd74584719c05f318d02194e46faaa3ec3b0d5d29065387de55

SHA512
f44b19517050c8b590d569a1c4a55729200ba55a44b2cf704aa02b9a64d529298cf38c6ae850c31676ec8ee6877ca7db3b5ad7d52c8e57a3e8afd1a1bbc11a2b

Download Submit
\Windows\SysWOW64\inmrtvue.exe

Filesize
512KB

MD5
6cf534b62dfab867d1078eed503c8b90

SHA1
9e1a2ec1b54f3987ac565905ff957fda4cabf417

SHA256
962448a0f0fc6e7f0596aea642bd0d7eb1d26cc478c342b86df137990f52bd69

SHA512
1d9c17156743e5584c3f99272f6816e53b76c95ed0750f41e9128c65f6787714461384d2bd764f8aeb475884cc484aac8ecefd5c3167eaa136757bed2797262f

Download Submit
\Windows\SysWOW64\zjpinnzlbkaziig.exe

Filesize
512KB

MD5
35f8f8481fe31d8f8b2f4e791b0d1cbe

SHA1
56c5941139c6adb26fefd8bc90b0c247820e085e

SHA256
5061b8121ce2aa17d567f4b4a5252ca9ab4768cc711af9585343038186ee1ae5

SHA512
e85f1a1afe3b43f513479546fa020c70a8f383a9acd987df34ba8839b73991833e5e39ed717f52b12731155744a9a1d9ba2f928b05ad0a770e8ebbb336c51c32

Download Submit
memory/2208-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2660-47-0x00000000713DD000-0x00000000713E8000-memory.dmp

Filesize
44KB

Download
memory/2660-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-45-0x000000002F8A1000-0x000000002F8A2000-memory.dmp

Filesize
4KB

Download
memory/2660-78-0x00000000713DD000-0x00000000713E8000-memory.dmp

Filesize
44KB

Download
memory/2660-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download