eef38e74b284a86c40ecb68777c0cd6b77398b9ce4bc7046694e77673e5bca61

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b27abb987d5162d029710981820847.exe
Size

512KB
MD5

19b27abb987d5162d029710981820847
SHA1

b585c7dd57a7e9f10f87bcbd492f3c12446fd113
SHA256

eef38e74b284a86c40ecb68777c0cd6b77398b9ce4bc7046694e77673e5bca61
SHA512

6986e785e9257a5a731fbb3a7d9eb718b21a4b3a9200d000d63701c56eda217debcc0331a7d0b6706abfb5ab13407d572aa3c6f8d5057fc7927da36063711347
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6m:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5N

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	tjrnwkqymg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tjrnwkqymg.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tjrnwkqymg.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	tjrnwkqymg.exe

Executes dropped EXE 5 IoCs

pid	Process
3048	tjrnwkqymg.exe
1164	qzjilkdtyujwfgy.exe
2036	zaujmigy.exe
2780	phguottjatbzf.exe
2620	zaujmigy.exe

Loads dropped DLL 5 IoCs

pid	Process
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
3048	tjrnwkqymg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	tjrnwkqymg.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xdconnyw = "qzjilkdtyujwfgy.exe"	qzjilkdtyujwfgy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "phguottjatbzf.exe"	qzjilkdtyujwfgy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obexiubt = "tjrnwkqymg.exe"	qzjilkdtyujwfgy.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\w:	tjrnwkqymg.exe
File opened (read-only)	\??\i:	zaujmigy.exe
File opened (read-only)	\??\z:	tjrnwkqymg.exe
File opened (read-only)	\??\j:	zaujmigy.exe
File opened (read-only)	\??\t:	zaujmigy.exe
File opened (read-only)	\??\k:	tjrnwkqymg.exe
File opened (read-only)	\??\o:	tjrnwkqymg.exe
File opened (read-only)	\??\m:	tjrnwkqymg.exe
File opened (read-only)	\??\v:	zaujmigy.exe
File opened (read-only)	\??\z:	zaujmigy.exe
File opened (read-only)	\??\e:	tjrnwkqymg.exe
File opened (read-only)	\??\j:	tjrnwkqymg.exe
File opened (read-only)	\??\s:	zaujmigy.exe
File opened (read-only)	\??\a:	zaujmigy.exe
File opened (read-only)	\??\q:	zaujmigy.exe
File opened (read-only)	\??\y:	zaujmigy.exe
File opened (read-only)	\??\g:	zaujmigy.exe
File opened (read-only)	\??\r:	zaujmigy.exe
File opened (read-only)	\??\h:	zaujmigy.exe
File opened (read-only)	\??\u:	zaujmigy.exe
File opened (read-only)	\??\b:	tjrnwkqymg.exe
File opened (read-only)	\??\h:	tjrnwkqymg.exe
File opened (read-only)	\??\y:	tjrnwkqymg.exe
File opened (read-only)	\??\k:	zaujmigy.exe
File opened (read-only)	\??\r:	zaujmigy.exe
File opened (read-only)	\??\a:	tjrnwkqymg.exe
File opened (read-only)	\??\u:	zaujmigy.exe
File opened (read-only)	\??\i:	zaujmigy.exe
File opened (read-only)	\??\l:	zaujmigy.exe
File opened (read-only)	\??\m:	zaujmigy.exe
File opened (read-only)	\??\o:	zaujmigy.exe
File opened (read-only)	\??\p:	tjrnwkqymg.exe
File opened (read-only)	\??\s:	tjrnwkqymg.exe
File opened (read-only)	\??\v:	tjrnwkqymg.exe
File opened (read-only)	\??\x:	zaujmigy.exe
File opened (read-only)	\??\y:	zaujmigy.exe
File opened (read-only)	\??\z:	zaujmigy.exe
File opened (read-only)	\??\q:	tjrnwkqymg.exe
File opened (read-only)	\??\r:	tjrnwkqymg.exe
File opened (read-only)	\??\p:	zaujmigy.exe
File opened (read-only)	\??\g:	zaujmigy.exe
File opened (read-only)	\??\k:	zaujmigy.exe
File opened (read-only)	\??\o:	zaujmigy.exe
File opened (read-only)	\??\t:	zaujmigy.exe
File opened (read-only)	\??\i:	tjrnwkqymg.exe
File opened (read-only)	\??\a:	zaujmigy.exe
File opened (read-only)	\??\j:	zaujmigy.exe
File opened (read-only)	\??\b:	zaujmigy.exe
File opened (read-only)	\??\e:	zaujmigy.exe
File opened (read-only)	\??\l:	zaujmigy.exe
File opened (read-only)	\??\p:	zaujmigy.exe
File opened (read-only)	\??\s:	zaujmigy.exe
File opened (read-only)	\??\g:	tjrnwkqymg.exe
File opened (read-only)	\??\l:	tjrnwkqymg.exe
File opened (read-only)	\??\h:	zaujmigy.exe
File opened (read-only)	\??\n:	zaujmigy.exe
File opened (read-only)	\??\w:	zaujmigy.exe
File opened (read-only)	\??\x:	zaujmigy.exe
File opened (read-only)	\??\m:	zaujmigy.exe
File opened (read-only)	\??\t:	tjrnwkqymg.exe
File opened (read-only)	\??\x:	tjrnwkqymg.exe
File opened (read-only)	\??\b:	zaujmigy.exe
File opened (read-only)	\??\n:	zaujmigy.exe
File opened (read-only)	\??\q:	zaujmigy.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	tjrnwkqymg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	tjrnwkqymg.exe

AutoIT Executable 8 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2212-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000d000000012325-5.dat	autoit_exe
behavioral1/files/0x000d000000012325-33.dat	autoit_exe
behavioral1/files/0x003600000001444d-30.dat	autoit_exe
behavioral1/files/0x003600000001444d-27.dat	autoit_exe
behavioral1/files/0x000d000000012325-25.dat	autoit_exe
behavioral1/files/0x000d00000001224c-20.dat	autoit_exe
behavioral1/files/0x0006000000015d70-72.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tjrnwkqymg.exe	19b27abb987d5162d029710981820847.exe
File opened for modification	C:\Windows\SysWOW64\tjrnwkqymg.exe	19b27abb987d5162d029710981820847.exe
File opened for modification	C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe	19b27abb987d5162d029710981820847.exe
File opened for modification	C:\Windows\SysWOW64\zaujmigy.exe	19b27abb987d5162d029710981820847.exe
File opened for modification	C:\Windows\SysWOW64\phguottjatbzf.exe	19b27abb987d5162d029710981820847.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	tjrnwkqymg.exe
File created	C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe	19b27abb987d5162d029710981820847.exe
File created	C:\Windows\SysWOW64\zaujmigy.exe	19b27abb987d5162d029710981820847.exe
File created	C:\Windows\SysWOW64\phguottjatbzf.exe	19b27abb987d5162d029710981820847.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SuspendCompare.nal	zaujmigy.exe
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	zaujmigy.exe
File opened for modification	C:\Program Files\SuspendCompare.nal	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zaujmigy.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	zaujmigy.exe
File created	\??\c:\Program Files\SuspendCompare.doc.exe	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zaujmigy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zaujmigy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zaujmigy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	zaujmigy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zaujmigy.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zaujmigy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	zaujmigy.exe
File opened for modification	\??\c:\Program Files\SuspendCompare.doc.exe	zaujmigy.exe
File opened for modification	C:\Program Files\SuspendCompare.doc.exe	zaujmigy.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	zaujmigy.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\mydoc.rtf	19b27abb987d5162d029710981820847.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	19b27abb987d5162d029710981820847.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	tjrnwkqymg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C0D9D5283516D4476A277272DD77D8364DE"	19b27abb987d5162d029710981820847.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8EFF8F4827826D9137D6587E91BDE7E133584367456234D7E9"	19b27abb987d5162d029710981820847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile"	tjrnwkqymg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	tjrnwkqymg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7876BB7FE1822D0D279D1D28A7B9011"	19b27abb987d5162d029710981820847.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	tjrnwkqymg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2828	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
1164	qzjilkdtyujwfgy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
2212	19b27abb987d5162d029710981820847.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
3048	tjrnwkqymg.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
1164	qzjilkdtyujwfgy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2036	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe
2620	zaujmigy.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2828	WINWORD.EXE
2828	WINWORD.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3048	2212	19b27abb987d5162d029710981820847.exe	23
PID 2212 wrote to memory of 3048	2212	19b27abb987d5162d029710981820847.exe	23
PID 2212 wrote to memory of 3048	2212	19b27abb987d5162d029710981820847.exe	23
PID 2212 wrote to memory of 3048	2212	19b27abb987d5162d029710981820847.exe	23
PID 2212 wrote to memory of 1164	2212	19b27abb987d5162d029710981820847.exe	22
PID 2212 wrote to memory of 1164	2212	19b27abb987d5162d029710981820847.exe	22
PID 2212 wrote to memory of 1164	2212	19b27abb987d5162d029710981820847.exe	22
PID 2212 wrote to memory of 1164	2212	19b27abb987d5162d029710981820847.exe	22
PID 2212 wrote to memory of 2036	2212	19b27abb987d5162d029710981820847.exe	19
PID 2212 wrote to memory of 2036	2212	19b27abb987d5162d029710981820847.exe	19
PID 2212 wrote to memory of 2036	2212	19b27abb987d5162d029710981820847.exe	19
PID 2212 wrote to memory of 2036	2212	19b27abb987d5162d029710981820847.exe	19
PID 1164 wrote to memory of 2948	1164	qzjilkdtyujwfgy.exe	18
PID 1164 wrote to memory of 2948	1164	qzjilkdtyujwfgy.exe	18
PID 1164 wrote to memory of 2948	1164	qzjilkdtyujwfgy.exe	18
PID 1164 wrote to memory of 2948	1164	qzjilkdtyujwfgy.exe	18
PID 2212 wrote to memory of 2780	2212	19b27abb987d5162d029710981820847.exe	15
PID 2212 wrote to memory of 2780	2212	19b27abb987d5162d029710981820847.exe	15
PID 2212 wrote to memory of 2780	2212	19b27abb987d5162d029710981820847.exe	15
PID 2212 wrote to memory of 2780	2212	19b27abb987d5162d029710981820847.exe	15
PID 3048 wrote to memory of 2620	3048	tjrnwkqymg.exe	14
PID 3048 wrote to memory of 2620	3048	tjrnwkqymg.exe	14
PID 3048 wrote to memory of 2620	3048	tjrnwkqymg.exe	14
PID 3048 wrote to memory of 2620	3048	tjrnwkqymg.exe	14
PID 2212 wrote to memory of 2828	2212	19b27abb987d5162d029710981820847.exe	16
PID 2212 wrote to memory of 2828	2212	19b27abb987d5162d029710981820847.exe	16
PID 2212 wrote to memory of 2828	2212	19b27abb987d5162d029710981820847.exe	16
PID 2212 wrote to memory of 2828	2212	19b27abb987d5162d029710981820847.exe	16
PID 2828 wrote to memory of 1652	2828	WINWORD.EXE	38
PID 2828 wrote to memory of 1652	2828	WINWORD.EXE	38
PID 2828 wrote to memory of 1652	2828	WINWORD.EXE	38
PID 2828 wrote to memory of 1652	2828	WINWORD.EXE	38

C:\Windows\SysWOW64\zaujmigy.exe
C:\Windows\system32\zaujmigy.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\Windows\SysWOW64\phguottjatbzf.exe
phguottjatbzf.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c phguottjatbzf.exe
1⤵
PID:2948

C:\Windows\SysWOW64\zaujmigy.exe
zaujmigy.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036

C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe
qzjilkdtyujwfgy.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\tjrnwkqymg.exe
tjrnwkqymg.exe
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\19b27abb987d5162d029710981820847.exe
"C:\Users\Admin\AppData\Local\Temp\19b27abb987d5162d029710981820847.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
261687b0761a15fbd28aae1129cd2631

SHA1
03ab142ee9140b4583f7c9db78e69c6a014c1fb2

SHA256
0e75adc5c4417c468279fd8edf15a362cd6fdac3645ee79cb0080a544ddbc522

SHA512
6acf46b21ae54aff4cc9d3c1dd34b6d80150670564b2c030a1b0cb3ada26939b45d39ad764547269431f69dd71c14d95dcb36556c25a0e191b8862ac79bccce6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
28fbee4372ff48a1ecacb4fe28544ab5

SHA1
b746442283b61b18f5e7caca20ffd0643a6ef167

SHA256
f0c6473ce5e30808dc4c3285b950aa82b153f6c4bc04c14c5fc609d4117c7f05

SHA512
2aa9b7959b2386071c5d4e6b7bd77cbfa40d2cab642493a272137a451a4ac30144226afe4321d809c2e7d7f8380937686ce66cdac651a44325b5edfcb86bbc48

Download Submit
C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe

Filesize
512KB

MD5
3b537f259fabde6deab632555b6e7abc

SHA1
5fe721cf4afb8918c62e353ba9bee02ba6157972

SHA256
419bf986c9ebcd470f78c4a6e9b8cbb82d42abfced80f5040c0b381ad6a1aa63

SHA512
d5f7f78683f8c5b412c19a3bc03ba2dded46b5c31fa3e33f39d50653f32d5290610e75fcc63de97212024d7bee0a7cbcf751b9612100b0f4bfc3ed1616397415

Download Submit
C:\Windows\SysWOW64\qzjilkdtyujwfgy.exe

Filesize
92KB

MD5
6662b185f19fbf697c56a25c92de7961

SHA1
0df0c0df0de3724258df2549c583e3c934aca726

SHA256
c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86

SHA512
c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

Download Submit
C:\Windows\SysWOW64\tjrnwkqymg.exe

Filesize
512KB

MD5
38cb525416ed7bd83b1ceb2e572e8b1a

SHA1
1c41ebc439f16fff314670c7b3aa61a38ba290dd

SHA256
92f7bc521151b43caabaf1ef931b143e94ab9720973ef5552e9c618f7624c446

SHA512
40e6ff2b9ab7d8c7df0b58907fab75d0cbd546a62b95bf0e1ed8d856444b6e86bcbba4ee9dedc77ba9dddb409558f73aeb5154afa59bda64321baf367e2d3b77

Download Submit
C:\Windows\SysWOW64\zaujmigy.exe

Filesize
99KB

MD5
7fc6cf931da79ecd4267f22c6a1aefa8

SHA1
913682b9a75a4089cc18ec25b28e082916a6b314

SHA256
2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487

SHA512
272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

Download Submit
\Windows\SysWOW64\zaujmigy.exe

Filesize
512KB

MD5
f88de94839cba3b1532352e5094c1496

SHA1
28dba79189f38b401e54207eb444995e554167c6

SHA256
c79ff3c4325e97785953c4960f61798551814130f904be7dfa67ab2f1e473dfc

SHA512
d877569722a47f1e4c3a9a1116563fde0ea83b99a794fef25d248aeb0d516e1421ab8a5f3261fd5f8a6d60d7a7aadbf6e1fe34fe1466dafbdd87dc49d453c933

Download Submit
memory/2212-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2828-46-0x00000000716ED000-0x00000000716F8000-memory.dmp

Filesize
44KB

Download
memory/2828-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-83-0x00000000716ED000-0x00000000716F8000-memory.dmp

Filesize
44KB

Download
memory/2828-44-0x000000002F131000-0x000000002F132000-memory.dmp

Filesize
4KB

Download
memory/2828-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download