f5ac01c91a46a2349beda1ce04870c3abf28fd697d0cf946c8ffa3d24c2d29b1

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11/01/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53ff37849612f8403876d1c9c0fc6264.exe
Size

512KB
MD5

53ff37849612f8403876d1c9c0fc6264
SHA1

adb76cd9d1da5d27e0d0479636d263e371ab3318
SHA256

f5ac01c91a46a2349beda1ce04870c3abf28fd697d0cf946c8ffa3d24c2d29b1
SHA512

9c4a8e00b51feca6161f6190f3b7182994024c163e5f826f3b3ce15699c367c3c7543fa7edab8c6a0556da39f08ec23c147fd3c1fe40baf8d32b894b595cab8b
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6q:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5n

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	womjaielmh.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	womjaielmh.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	womjaielmh.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	womjaielmh.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
2788	womjaielmh.exe
3052	fokslnggxmyobqt.exe
2872	grqspqxk.exe
2888	towbjjokudusb.exe
2588	grqspqxk.exe

Loads dropped DLL 5 IoCs

pid	Process
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
2788	womjaielmh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	womjaielmh.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pblzrjrx = "womjaielmh.exe"	fokslnggxmyobqt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rcobicoj = "fokslnggxmyobqt.exe"	fokslnggxmyobqt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "towbjjokudusb.exe"	fokslnggxmyobqt.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	grqspqxk.exe
File opened (read-only)	\??\p:	womjaielmh.exe
File opened (read-only)	\??\t:	womjaielmh.exe
File opened (read-only)	\??\u:	womjaielmh.exe
File opened (read-only)	\??\v:	grqspqxk.exe
File opened (read-only)	\??\m:	grqspqxk.exe
File opened (read-only)	\??\b:	womjaielmh.exe
File opened (read-only)	\??\h:	womjaielmh.exe
File opened (read-only)	\??\e:	grqspqxk.exe
File opened (read-only)	\??\a:	womjaielmh.exe
File opened (read-only)	\??\r:	womjaielmh.exe
File opened (read-only)	\??\v:	womjaielmh.exe
File opened (read-only)	\??\a:	grqspqxk.exe
File opened (read-only)	\??\u:	grqspqxk.exe
File opened (read-only)	\??\b:	grqspqxk.exe
File opened (read-only)	\??\i:	grqspqxk.exe
File opened (read-only)	\??\w:	grqspqxk.exe
File opened (read-only)	\??\o:	womjaielmh.exe
File opened (read-only)	\??\q:	womjaielmh.exe
File opened (read-only)	\??\h:	grqspqxk.exe
File opened (read-only)	\??\r:	grqspqxk.exe
File opened (read-only)	\??\q:	grqspqxk.exe
File opened (read-only)	\??\i:	womjaielmh.exe
File opened (read-only)	\??\n:	womjaielmh.exe
File opened (read-only)	\??\w:	grqspqxk.exe
File opened (read-only)	\??\g:	grqspqxk.exe
File opened (read-only)	\??\k:	grqspqxk.exe
File opened (read-only)	\??\s:	womjaielmh.exe
File opened (read-only)	\??\l:	grqspqxk.exe
File opened (read-only)	\??\k:	womjaielmh.exe
File opened (read-only)	\??\w:	womjaielmh.exe
File opened (read-only)	\??\k:	grqspqxk.exe
File opened (read-only)	\??\v:	grqspqxk.exe
File opened (read-only)	\??\y:	grqspqxk.exe
File opened (read-only)	\??\g:	womjaielmh.exe
File opened (read-only)	\??\q:	grqspqxk.exe
File opened (read-only)	\??\t:	grqspqxk.exe
File opened (read-only)	\??\x:	grqspqxk.exe
File opened (read-only)	\??\y:	grqspqxk.exe
File opened (read-only)	\??\z:	grqspqxk.exe
File opened (read-only)	\??\m:	womjaielmh.exe
File opened (read-only)	\??\m:	grqspqxk.exe
File opened (read-only)	\??\e:	womjaielmh.exe
File opened (read-only)	\??\j:	womjaielmh.exe
File opened (read-only)	\??\x:	womjaielmh.exe
File opened (read-only)	\??\z:	womjaielmh.exe
File opened (read-only)	\??\o:	grqspqxk.exe
File opened (read-only)	\??\u:	grqspqxk.exe
File opened (read-only)	\??\y:	womjaielmh.exe
File opened (read-only)	\??\b:	grqspqxk.exe
File opened (read-only)	\??\e:	grqspqxk.exe
File opened (read-only)	\??\i:	grqspqxk.exe
File opened (read-only)	\??\n:	grqspqxk.exe
File opened (read-only)	\??\p:	grqspqxk.exe
File opened (read-only)	\??\r:	grqspqxk.exe
File opened (read-only)	\??\s:	grqspqxk.exe
File opened (read-only)	\??\z:	grqspqxk.exe
File opened (read-only)	\??\j:	grqspqxk.exe
File opened (read-only)	\??\o:	grqspqxk.exe
File opened (read-only)	\??\t:	grqspqxk.exe
File opened (read-only)	\??\h:	grqspqxk.exe
File opened (read-only)	\??\l:	womjaielmh.exe
File opened (read-only)	\??\n:	grqspqxk.exe
File opened (read-only)	\??\p:	grqspqxk.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	womjaielmh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	womjaielmh.exe

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1708-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b000000015c98-5.dat	autoit_exe
behavioral1/files/0x000b000000012731-17.dat	autoit_exe
behavioral1/files/0x000b000000015c98-25.dat	autoit_exe
behavioral1/files/0x000b000000015c98-21.dat	autoit_exe
behavioral1/files/0x0033000000016047-27.dat	autoit_exe
behavioral1/files/0x000b000000015c98-32.dat	autoit_exe
behavioral1/files/0x0033000000016047-31.dat	autoit_exe
behavioral1/files/0x000b000000012731-30.dat	autoit_exe
behavioral1/files/0x0033000000016047-40.dat	autoit_exe
behavioral1/files/0x0007000000016577-41.dat	autoit_exe
behavioral1/files/0x0007000000016577-38.dat	autoit_exe
behavioral1/files/0x0007000000016577-34.dat	autoit_exe
behavioral1/files/0x0033000000016047-43.dat	autoit_exe
behavioral1/files/0x0033000000016047-42.dat	autoit_exe
behavioral1/files/0x0006000000016fd0-69.dat	autoit_exe
behavioral1/files/0x0006000000016fd5-78.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\womjaielmh.exe	53ff37849612f8403876d1c9c0fc6264.exe
File created	C:\Windows\SysWOW64\fokslnggxmyobqt.exe	53ff37849612f8403876d1c9c0fc6264.exe
File opened for modification	C:\Windows\SysWOW64\fokslnggxmyobqt.exe	53ff37849612f8403876d1c9c0fc6264.exe
File opened for modification	C:\Windows\SysWOW64\grqspqxk.exe	53ff37849612f8403876d1c9c0fc6264.exe
File created	C:\Windows\SysWOW64\towbjjokudusb.exe	53ff37849612f8403876d1c9c0fc6264.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	womjaielmh.exe
File opened for modification	C:\Windows\SysWOW64\womjaielmh.exe	53ff37849612f8403876d1c9c0fc6264.exe
File created	C:\Windows\SysWOW64\grqspqxk.exe	53ff37849612f8403876d1c9c0fc6264.exe
File opened for modification	C:\Windows\SysWOW64\towbjjokudusb.exe	53ff37849612f8403876d1c9c0fc6264.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	grqspqxk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	grqspqxk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	grqspqxk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	grqspqxk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	grqspqxk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	grqspqxk.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	grqspqxk.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	grqspqxk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	53ff37849612f8403876d1c9c0fc6264.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	womjaielmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile"	womjaielmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\CLV.Classes	53ff37849612f8403876d1c9c0fc6264.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	womjaielmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	womjaielmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2580	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2588	grqspqxk.exe
2588	grqspqxk.exe
2588	grqspqxk.exe
2588	grqspqxk.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
3052	fokslnggxmyobqt.exe
2888	towbjjokudusb.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe
Token: SeShutdownPrivilege	1584	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2588	grqspqxk.exe
2588	grqspqxk.exe
2588	grqspqxk.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
1708	53ff37849612f8403876d1c9c0fc6264.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
3052	fokslnggxmyobqt.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2788	womjaielmh.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2872	grqspqxk.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
2888	towbjjokudusb.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe
1584	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2580	WINWORD.EXE
2580	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2788	1708	53ff37849612f8403876d1c9c0fc6264.exe	28
PID 1708 wrote to memory of 2788	1708	53ff37849612f8403876d1c9c0fc6264.exe	28
PID 1708 wrote to memory of 2788	1708	53ff37849612f8403876d1c9c0fc6264.exe	28
PID 1708 wrote to memory of 2788	1708	53ff37849612f8403876d1c9c0fc6264.exe	28
PID 1708 wrote to memory of 3052	1708	53ff37849612f8403876d1c9c0fc6264.exe	29
PID 1708 wrote to memory of 3052	1708	53ff37849612f8403876d1c9c0fc6264.exe	29
PID 1708 wrote to memory of 3052	1708	53ff37849612f8403876d1c9c0fc6264.exe	29
PID 1708 wrote to memory of 3052	1708	53ff37849612f8403876d1c9c0fc6264.exe	29
PID 1708 wrote to memory of 2872	1708	53ff37849612f8403876d1c9c0fc6264.exe	30
PID 1708 wrote to memory of 2872	1708	53ff37849612f8403876d1c9c0fc6264.exe	30
PID 1708 wrote to memory of 2872	1708	53ff37849612f8403876d1c9c0fc6264.exe	30
PID 1708 wrote to memory of 2872	1708	53ff37849612f8403876d1c9c0fc6264.exe	30
PID 1708 wrote to memory of 2888	1708	53ff37849612f8403876d1c9c0fc6264.exe	31
PID 1708 wrote to memory of 2888	1708	53ff37849612f8403876d1c9c0fc6264.exe	31
PID 1708 wrote to memory of 2888	1708	53ff37849612f8403876d1c9c0fc6264.exe	31
PID 1708 wrote to memory of 2888	1708	53ff37849612f8403876d1c9c0fc6264.exe	31
PID 2788 wrote to memory of 2588	2788	womjaielmh.exe	32
PID 2788 wrote to memory of 2588	2788	womjaielmh.exe	32
PID 2788 wrote to memory of 2588	2788	womjaielmh.exe	32
PID 2788 wrote to memory of 2588	2788	womjaielmh.exe	32
PID 1708 wrote to memory of 2580	1708	53ff37849612f8403876d1c9c0fc6264.exe	33
PID 1708 wrote to memory of 2580	1708	53ff37849612f8403876d1c9c0fc6264.exe	33
PID 1708 wrote to memory of 2580	1708	53ff37849612f8403876d1c9c0fc6264.exe	33
PID 1708 wrote to memory of 2580	1708	53ff37849612f8403876d1c9c0fc6264.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\53ff37849612f8403876d1c9c0fc6264.exe
"C:\Users\Admin\AppData\Local\Temp\53ff37849612f8403876d1c9c0fc6264.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\womjaielmh.exe
  womjaielmh.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\grqspqxk.exe
    C:\Windows\system32\grqspqxk.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2588
- C:\Windows\SysWOW64\fokslnggxmyobqt.exe
  fokslnggxmyobqt.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3052
- C:\Windows\SysWOW64\grqspqxk.exe
  grqspqxk.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2872
- C:\Windows\SysWOW64\towbjjokudusb.exe
  towbjjokudusb.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2888
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2580

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
512KB

MD5
8fdcc285931dfb2e0746012eb5cbe642

SHA1
1f58a32222916a9df372dba20aade3bc649c3881

SHA256
3be1d8916c5d557dd6b7a5fc02a6c0affa01619e7a8d0d36394f059112b5c019

SHA512
f6fe45e4fa44d53a70cfca32040382734019e617494130f5637ee31731f86740be004128d479097cb8546ead42dddaaa3c215be4c0d1d04b31a3ff2f262db020

Download Submit
C:\Windows\SysWOW64\fokslnggxmyobqt.exe

Filesize
149KB

MD5
5a1366d811460096a3c3f9960094826e

SHA1
73404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a

SHA256
4e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92

SHA512
95d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1

Download Submit
C:\Windows\SysWOW64\fokslnggxmyobqt.exe

Filesize
330KB

MD5
823a0f48a437b531858878e96fcd4882

SHA1
a2e2c0068beeb2b8c5284efcee2bf22a42283db7

SHA256
0c08b142fd1beeb74134300137daf3305486234aaa97a83ace05a1f75813bf52

SHA512
807f6cbb71ad9dd2100cf7abaea6c448a84c49e7e688b4f8f8c444f8ad27d3a2e8530f4fdf538f5619c665c6fd7fc05bba161e4e35fb6ddcca61a8825376e1cb

Download Submit
C:\Windows\SysWOW64\fokslnggxmyobqt.exe

Filesize
512KB

MD5
f927a9cf29c79ac9ba381bd5da6a7a57

SHA1
5dcc01ed415075022b9695fc914a6f9ba7276d38

SHA256
2676e3b719ebfc61a1c0981947b655a958fbafdee604f82468e7c66983c413c6

SHA512
89b335f168535c566ba766e168e043a295d2816c31c0f1f044208550e764aaf14a8a0378e50ffbf53dd1c7399081a1409855685ad16f7a8c643be6919af55ab3

Download Submit
C:\Windows\SysWOW64\grqspqxk.exe

Filesize
218KB

MD5
4846e041410c7a40532b108113e320cd

SHA1
bd511bb5da38ae78963518adbf673b8d7987c4a7

SHA256
eef879153104d3fbe34620ae7c921be18811d0a62b8e065ee57b47386447bd6d

SHA512
21e763057839072f70301f5b56430f914c77faa4fbb7b9eb6f465ca7a111a85009d153c14763338bc040a5e9898eb6b5c85646cb347e153aebbef250790e6b6e

Download Submit
C:\Windows\SysWOW64\grqspqxk.exe

Filesize
226KB

MD5
169e8b72ebf0cedb32c567f5cf1d6cd2

SHA1
366b76a4cefbfd44b73ae3cd6dd3d946397c1b48

SHA256
2ff1294655c1bf2c0ee885465af0c7912edcb71df48a77eb168efc374d15c44e

SHA512
9a36ebebc80a3437653e61cd1bfeaf740038e0849f60d7b31a17c42c0f1e34431ea77ac62660e686628c3f5b61b85c6dea1bf779b196ef6a7403e76a957f309d

Download Submit
C:\Windows\SysWOW64\grqspqxk.exe

Filesize
226KB

MD5
2d97297b3463c04a7b2bd7fbbb8156bb

SHA1
90ccbf9c024ea1901c73aae12f09638f3c2f253a

SHA256
06cefd5fcee9504dbb1603a71ee45e2712da18ec885b95b1b0abb08399c882a3

SHA512
3b6093e7a9177b009be8448b62ff0bc852e98ff525cc919c46e8d5493627c9f1989b2d19e4b0e3acfc259cf9fb03467c8d6b8c236fbad66cd7c15a6d04225aa6

Download Submit
C:\Windows\SysWOW64\towbjjokudusb.exe

Filesize
278KB

MD5
ff82042eafd31399903e7df4a281f722

SHA1
80130fc95f2439c79c8e126ef57a4ba81027c6c2

SHA256
ee37cb08d42416ed7921615de7baf3c9b534204809aaa38f4a9aa1e3946f1c85

SHA512
9b0ddaf01bb427b2f87dd0c8b930706543ca5fc5846753ec52cc6350765626d60bd15c6a06828371cf64988c7dba8b462a7a518e31156762d9ba32c3bf8aeccc

Download Submit
C:\Windows\SysWOW64\towbjjokudusb.exe

Filesize
195KB

MD5
8167525ff8ac4ff9b648e521204babeb

SHA1
bc6dba902f49b077dd576a5467c5fb629e517181

SHA256
b4c077b8e8f58e924bd18dd9148c114c497e17307e79c44f247e6fbf1d202822

SHA512
760e8534656220d4f3b2cbd46b04564dc5c083e4c9f48f0191364dbca0bc2d0068791fd727852138a405fac413778b8332dcacf612666c87ce049b81906d425c

Download Submit
C:\Windows\SysWOW64\womjaielmh.exe

Filesize
314KB

MD5
235c44f3188d57518e9b6b8e4b829e28

SHA1
98abe95c214a5d675669909c2676ff6b9b70c151

SHA256
be8205a160a697f29cbae406c8b1821238035599c056b686898df40eb5c2dbbc

SHA512
59299141d0e95f3b1af3af9b8767b9da11fd852997a77e30e63bd7803becc098cd5070b1b59a03cbd4a4f4a9575ccc27fc2d8719c7141c33a6e2ff760050cb0a

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
512KB

MD5
fe556dd77f4def5da693e90e76826a40

SHA1
3c708314472eb359a157cc729dee8516cbc648b0

SHA256
a375f0a1f4fec6c12b5f7b65fd83ecdc35ae28fff27d692efadaea83ceb53710

SHA512
726223554f5f7c9da8103860eafc3cf2cd2f134bac214c25ed5b3da00e3614977b0f69eb8b9389ae1ee5dfa9c03fcb73285ba9ef785338c4b4dcdeb297adc77a

Download Submit
\Windows\SysWOW64\fokslnggxmyobqt.exe

Filesize
128KB

MD5
33be84de0fa03c6883fec2ead970e3ba

SHA1
dbe35ed4343779aa93200c24966ccb805e18f223

SHA256
ef0f2733bf476c4dc632a27627cb24681d552719aafcc969eec5db1a90996887

SHA512
3e93ab8677009d404503e243038ae323b1bc55af56c8c53bd3d44f5313ed4383c987ccb1f1f0e86111fc36db67c7b1b76de4eb4b1c6742baadffd70d7dc6c093

Download Submit
\Windows\SysWOW64\grqspqxk.exe

Filesize
483KB

MD5
c58ec385c71bc691f2d38ae05e55fa4e

SHA1
656d1826a9e8577e3968dfa289e13075c8b45dfa

SHA256
78156779d3a607d21031e555e017c5d5766b0387ae2fc7ec893ff549b758d6bb

SHA512
dfa72cb559bba8f753f2bf7aa5e3c5ce72f64326404d54d28f85eddd45635fcab6880903ce353ebd123f0e98ee15579aacede21a97ea1ddc69c9266b27a37032

Download Submit
\Windows\SysWOW64\grqspqxk.exe

Filesize
160KB

MD5
29bff36e2d3c21d104cf4b6773248532

SHA1
561946787d4deeba70a8b9cd7e2061f5872344e3

SHA256
7e24bbd4d177b346edbe9744737df27464a4516485d4547422946d6c19967770

SHA512
eabe96511a5ec35345025f1babdefd292015755d0667d019320f33d2e0abf32ef9e0de22ded7b1366a8e19f5948062bb3a2810d7ff2ab0933447702e52a75242

Download Submit
\Windows\SysWOW64\towbjjokudusb.exe

Filesize
191KB

MD5
0a57104a3a202c7eec99d2a879dc88a1

SHA1
b2e29055f44ce3f17c5264cfb3da9a3f9b783297

SHA256
490aabb3d6629ddfe77a61b0b888fa0332914f7a03ecced60f6a3c3473d2022c

SHA512
62b4ce3946ea4f58e05ac586555db417cca1659993b0bcf6a217808fff58d60519ab73d313c4ea30bfb40ed6f102b2cb7bfb0e6bff536b11c8eaa02ee68b8de2

Download Submit
\Windows\SysWOW64\womjaielmh.exe

Filesize
512KB

MD5
dc5491ef234f3001c935569aa24b90d9

SHA1
2c9d3705dd301067545df8a8fc8dfaaf16290e0b

SHA256
dd1b11fe35ff4d12cbeb648a1f5ad5904f07a11a6da631fa5836979cbd52d18c

SHA512
9f67a767d5c69342e2ba2e6e17e0081678c15c6570913182d849efbcb348c0eb24434bcfc464244a961c8da18251d7c0dac2126d6b6f04f3b1f54990752300cc

Download Submit
memory/1584-80-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/1584-88-0x0000000002600000-0x0000000002610000-memory.dmp

Filesize
64KB

Download
memory/1584-83-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

Filesize
4KB

Download
memory/1708-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2580-45-0x000000002F741000-0x000000002F742000-memory.dmp

Filesize
4KB

Download
memory/2580-81-0x000000007175D000-0x0000000071768000-memory.dmp

Filesize
44KB

Download
memory/2580-47-0x000000007175D000-0x0000000071768000-memory.dmp

Filesize
44KB

Download
memory/2580-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download