8979c4787201aa7d4ca0adb56e39fa649801624ebdeb59ab43c9153c73c07dbb

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-01-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58948654f33c3b7c94d385f644f158cc.exe
Size

512KB
MD5

58948654f33c3b7c94d385f644f158cc
SHA1

80862d510c4392c13696b2376869d65bc88c21dd
SHA256

8979c4787201aa7d4ca0adb56e39fa649801624ebdeb59ab43c9153c73c07dbb
SHA512

ea3013407b5b3576be36842da1d29aa2530f23b68c22d2f7af5af781db1e050af88963861e456ca3584e1ac6659d81428a53f44503f98b264d189f87b3908b9a
SSDEEP

6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj6d:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm5+

Score

10^/10

evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fdrsqlnvox.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fdrsqlnvox.exe

Windows security bypass 2 TTPs 5 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fdrsqlnvox.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fdrsqlnvox.exe

Executes dropped EXE 5 IoCs

pid	Process
2488	fdrsqlnvox.exe
2832	tazayyfirmzjvvs.exe
2248	vmqtyftf.exe
2548	okhdzbcmxbjrs.exe
2352	vmqtyftf.exe

Loads dropped DLL 5 IoCs

pid	Process
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
2488	fdrsqlnvox.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	fdrsqlnvox.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hougbqnx = "fdrsqlnvox.exe"	tazayyfirmzjvvs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hhncftqz = "tazayyfirmzjvvs.exe"	tazayyfirmzjvvs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "okhdzbcmxbjrs.exe"	tazayyfirmzjvvs.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	vmqtyftf.exe
File opened (read-only)	\??\k:	fdrsqlnvox.exe
File opened (read-only)	\??\x:	fdrsqlnvox.exe
File opened (read-only)	\??\j:	vmqtyftf.exe
File opened (read-only)	\??\o:	vmqtyftf.exe
File opened (read-only)	\??\p:	vmqtyftf.exe
File opened (read-only)	\??\x:	vmqtyftf.exe
File opened (read-only)	\??\s:	fdrsqlnvox.exe
File opened (read-only)	\??\j:	vmqtyftf.exe
File opened (read-only)	\??\e:	vmqtyftf.exe
File opened (read-only)	\??\q:	fdrsqlnvox.exe
File opened (read-only)	\??\i:	fdrsqlnvox.exe
File opened (read-only)	\??\h:	vmqtyftf.exe
File opened (read-only)	\??\s:	vmqtyftf.exe
File opened (read-only)	\??\e:	fdrsqlnvox.exe
File opened (read-only)	\??\g:	fdrsqlnvox.exe
File opened (read-only)	\??\h:	fdrsqlnvox.exe
File opened (read-only)	\??\g:	vmqtyftf.exe
File opened (read-only)	\??\w:	fdrsqlnvox.exe
File opened (read-only)	\??\a:	vmqtyftf.exe
File opened (read-only)	\??\w:	vmqtyftf.exe
File opened (read-only)	\??\x:	vmqtyftf.exe
File opened (read-only)	\??\m:	vmqtyftf.exe
File opened (read-only)	\??\w:	vmqtyftf.exe
File opened (read-only)	\??\a:	fdrsqlnvox.exe
File opened (read-only)	\??\n:	fdrsqlnvox.exe
File opened (read-only)	\??\o:	fdrsqlnvox.exe
File opened (read-only)	\??\u:	fdrsqlnvox.exe
File opened (read-only)	\??\v:	fdrsqlnvox.exe
File opened (read-only)	\??\i:	vmqtyftf.exe
File opened (read-only)	\??\b:	vmqtyftf.exe
File opened (read-only)	\??\h:	vmqtyftf.exe
File opened (read-only)	\??\v:	vmqtyftf.exe
File opened (read-only)	\??\j:	fdrsqlnvox.exe
File opened (read-only)	\??\m:	vmqtyftf.exe
File opened (read-only)	\??\v:	vmqtyftf.exe
File opened (read-only)	\??\g:	vmqtyftf.exe
File opened (read-only)	\??\t:	vmqtyftf.exe
File opened (read-only)	\??\p:	fdrsqlnvox.exe
File opened (read-only)	\??\r:	vmqtyftf.exe
File opened (read-only)	\??\u:	vmqtyftf.exe
File opened (read-only)	\??\i:	vmqtyftf.exe
File opened (read-only)	\??\n:	vmqtyftf.exe
File opened (read-only)	\??\s:	vmqtyftf.exe
File opened (read-only)	\??\q:	vmqtyftf.exe
File opened (read-only)	\??\y:	fdrsqlnvox.exe
File opened (read-only)	\??\k:	vmqtyftf.exe
File opened (read-only)	\??\y:	vmqtyftf.exe
File opened (read-only)	\??\e:	vmqtyftf.exe
File opened (read-only)	\??\b:	fdrsqlnvox.exe
File opened (read-only)	\??\l:	fdrsqlnvox.exe
File opened (read-only)	\??\r:	fdrsqlnvox.exe
File opened (read-only)	\??\t:	vmqtyftf.exe
File opened (read-only)	\??\a:	vmqtyftf.exe
File opened (read-only)	\??\l:	vmqtyftf.exe
File opened (read-only)	\??\r:	vmqtyftf.exe
File opened (read-only)	\??\p:	vmqtyftf.exe
File opened (read-only)	\??\u:	vmqtyftf.exe
File opened (read-only)	\??\m:	fdrsqlnvox.exe
File opened (read-only)	\??\n:	vmqtyftf.exe
File opened (read-only)	\??\y:	vmqtyftf.exe
File opened (read-only)	\??\z:	fdrsqlnvox.exe
File opened (read-only)	\??\b:	vmqtyftf.exe
File opened (read-only)	\??\z:	vmqtyftf.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0"	fdrsqlnvox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	fdrsqlnvox.exe

AutoIT Executable 18 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1068-0-0x0000000000400000-0x0000000000496000-memory.dmp	autoit_exe
behavioral1/files/0x000b0000000139e0-17.dat	autoit_exe
behavioral1/files/0x000b000000015d0f-25.dat	autoit_exe
behavioral1/files/0x000b0000000139e0-20.dat	autoit_exe
behavioral1/files/0x0009000000016176-27.dat	autoit_exe
behavioral1/files/0x0009000000016176-34.dat	autoit_exe
behavioral1/files/0x00070000000165ae-30.dat	autoit_exe
behavioral1/files/0x00070000000165ae-36.dat	autoit_exe
behavioral1/files/0x000b000000015d0f-21.dat	autoit_exe
behavioral1/files/0x0009000000016176-39.dat	autoit_exe
behavioral1/files/0x000b0000000139e0-38.dat	autoit_exe
behavioral1/files/0x00070000000165ae-41.dat	autoit_exe
behavioral1/files/0x000b000000015d0f-40.dat	autoit_exe
behavioral1/files/0x0009000000016176-43.dat	autoit_exe
behavioral1/files/0x0009000000016176-42.dat	autoit_exe
behavioral1/files/0x000b000000015d0f-5.dat	autoit_exe
behavioral1/files/0x0006000000016fed-75.dat	autoit_exe
behavioral1/files/0x0006000000016e4a-72.dat	autoit_exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vmqtyftf.exe	58948654f33c3b7c94d385f644f158cc.exe
File opened for modification	C:\Windows\SysWOW64\vmqtyftf.exe	58948654f33c3b7c94d385f644f158cc.exe
File opened for modification	C:\Windows\SysWOW64\okhdzbcmxbjrs.exe	58948654f33c3b7c94d385f644f158cc.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	fdrsqlnvox.exe
File created	C:\Windows\SysWOW64\fdrsqlnvox.exe	58948654f33c3b7c94d385f644f158cc.exe
File opened for modification	C:\Windows\SysWOW64\fdrsqlnvox.exe	58948654f33c3b7c94d385f644f158cc.exe
File opened for modification	C:\Windows\SysWOW64\tazayyfirmzjvvs.exe	58948654f33c3b7c94d385f644f158cc.exe
File created	C:\Windows\SysWOW64\tazayyfirmzjvvs.exe	58948654f33c3b7c94d385f644f158cc.exe
File created	C:\Windows\SysWOW64\okhdzbcmxbjrs.exe	58948654f33c3b7c94d385f644f158cc.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vmqtyftf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vmqtyftf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vmqtyftf.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal	vmqtyftf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vmqtyftf.exe
File created	\??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe	vmqtyftf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal	vmqtyftf.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\mydoc.rtf	58948654f33c3b7c94d385f644f158cc.exe
File opened for modification	C:\Windows\mydoc.rtf	WINWORD.EXE
File created	C:\Windows\~$mydoc.rtf	WINWORD.EXE
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE
File opened for modification	C:\Windows\~$mydoc.rtf	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile"	fdrsqlnvox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B15C44EF389F52BEBAD433EAD7B9"	58948654f33c3b7c94d385f644f158cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1848C67915ECDAC3B8B97FE0EC9F37BC"	58948654f33c3b7c94d385f644f158cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile"	fdrsqlnvox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC8FACCFE67F19884793A31869D3998B38D02F942620333E2C845E609A9"	58948654f33c3b7c94d385f644f158cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile"	fdrsqlnvox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	fdrsqlnvox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2712	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2832	tazayyfirmzjvvs.exe
2832	tazayyfirmzjvvs.exe
2832	tazayyfirmzjvvs.exe
2832	tazayyfirmzjvvs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
1068	58948654f33c3b7c94d385f644f158cc.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2488	fdrsqlnvox.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2248	vmqtyftf.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2832	tazayyfirmzjvvs.exe
2548	okhdzbcmxbjrs.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe
2352	vmqtyftf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2712	WINWORD.EXE
2712	WINWORD.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2488	1068	58948654f33c3b7c94d385f644f158cc.exe	33
PID 1068 wrote to memory of 2488	1068	58948654f33c3b7c94d385f644f158cc.exe	33
PID 1068 wrote to memory of 2488	1068	58948654f33c3b7c94d385f644f158cc.exe	33
PID 1068 wrote to memory of 2488	1068	58948654f33c3b7c94d385f644f158cc.exe	33
PID 1068 wrote to memory of 2832	1068	58948654f33c3b7c94d385f644f158cc.exe	32
PID 1068 wrote to memory of 2832	1068	58948654f33c3b7c94d385f644f158cc.exe	32
PID 1068 wrote to memory of 2832	1068	58948654f33c3b7c94d385f644f158cc.exe	32
PID 1068 wrote to memory of 2832	1068	58948654f33c3b7c94d385f644f158cc.exe	32
PID 1068 wrote to memory of 2248	1068	58948654f33c3b7c94d385f644f158cc.exe	29
PID 1068 wrote to memory of 2248	1068	58948654f33c3b7c94d385f644f158cc.exe	29
PID 1068 wrote to memory of 2248	1068	58948654f33c3b7c94d385f644f158cc.exe	29
PID 1068 wrote to memory of 2248	1068	58948654f33c3b7c94d385f644f158cc.exe	29
PID 1068 wrote to memory of 2548	1068	58948654f33c3b7c94d385f644f158cc.exe	28
PID 1068 wrote to memory of 2548	1068	58948654f33c3b7c94d385f644f158cc.exe	28
PID 1068 wrote to memory of 2548	1068	58948654f33c3b7c94d385f644f158cc.exe	28
PID 1068 wrote to memory of 2548	1068	58948654f33c3b7c94d385f644f158cc.exe	28
PID 2488 wrote to memory of 2352	2488	fdrsqlnvox.exe	31
PID 2488 wrote to memory of 2352	2488	fdrsqlnvox.exe	31
PID 2488 wrote to memory of 2352	2488	fdrsqlnvox.exe	31
PID 2488 wrote to memory of 2352	2488	fdrsqlnvox.exe	31
PID 1068 wrote to memory of 2712	1068	58948654f33c3b7c94d385f644f158cc.exe	30
PID 1068 wrote to memory of 2712	1068	58948654f33c3b7c94d385f644f158cc.exe	30
PID 1068 wrote to memory of 2712	1068	58948654f33c3b7c94d385f644f158cc.exe	30
PID 1068 wrote to memory of 2712	1068	58948654f33c3b7c94d385f644f158cc.exe	30
PID 2712 wrote to memory of 1848	2712	WINWORD.EXE	36
PID 2712 wrote to memory of 1848	2712	WINWORD.EXE	36
PID 2712 wrote to memory of 1848	2712	WINWORD.EXE	36
PID 2712 wrote to memory of 1848	2712	WINWORD.EXE	36

C:\Users\Admin\AppData\Local\Temp\58948654f33c3b7c94d385f644f158cc.exe
"C:\Users\Admin\AppData\Local\Temp\58948654f33c3b7c94d385f644f158cc.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\SysWOW64\okhdzbcmxbjrs.exe
  okhdzbcmxbjrs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2548
- C:\Windows\SysWOW64\vmqtyftf.exe
  vmqtyftf.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2248
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:1848
- C:\Windows\SysWOW64\tazayyfirmzjvvs.exe
  tazayyfirmzjvvs.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2832
- C:\Windows\SysWOW64\fdrsqlnvox.exe
  fdrsqlnvox.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2488

C:\Windows\SysWOW64\vmqtyftf.exe
C:\Windows\system32\vmqtyftf.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

Filesize
62KB

MD5
285c294bade964e309bb868fe6f045ed

SHA1
40212694a4cd92681905b91828e3bfadda7fc4bc

SHA256
7a7325b29e31e4e09cf4fcdd0b310d47f4085541b4f9e0aad597e4b7c42d2e4c

SHA512
0cdc8c827a366c74d9b534e7b26f8d8a1c616ec00d8e34129d29b86789bead968a5016f9022080fba272d702dd30e1e190dd0fb54ebfc55b9cbf347bbff30217

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

Filesize
9KB

MD5
b35b1f4c5eb499f62524766be9a3f580

SHA1
f3a95cd805d4d178906b33d01887e100ac31639f

SHA256
e311cc9039f96406b84412246561aed0aa49832d741b137e342843fe26d45b3d

SHA512
885bb3047c46cd65081975934aad7936ca99e4c146f0eeae98e36adb5b52c92c7a2a1cc8e645f50b8445dd5aa9d88e1db0ef860bb24c5f7122a87dd2b586a5a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
02f936e15b725c50e852c1f02601d276

SHA1
3ab508e69b45021cae79ecde81d1fbf7d54ada7e

SHA256
de4a27561efe5d127c6a45a46e626fb598dcf508966be4e738caaa1daff9e854

SHA512
e3eb661c5b3a25a18ad7858463398f352fc0c718399671e501f552f7e65f7ea2ae1ef29e1439de6ffdbf381065ab7abcdac32a9f0b4d74ba3df58ca1538eefb7

Download Submit
C:\Windows\SysWOW64\fdrsqlnvox.exe

Filesize
304KB

MD5
9e22e11050127f4c379fd35f016723bb

SHA1
9816107711cb27228cd4b2b9b128104f42bc5697

SHA256
1f0553d5dc40b537f17b7c37f2cf5ffcd0a485de69bd110c59dede33838ebd2f

SHA512
9103b04cb309cec9c9b4a1e615f45050a7aa55ee9537a1a2395eee80a3183709847c3083fb96f1c360dfd308811d89178f3063fba702d083d275e1e7e1f0a8fc

Download Submit
C:\Windows\SysWOW64\fdrsqlnvox.exe

Filesize
265KB

MD5
dcbd07628c8248cdc7929b5ac5828ea7

SHA1
9974a327f130d6b75b817b2fe8f20468a33add55

SHA256
76eccee59892c65b0fdec2cf4501f590310e5d7685c39a7f662c014f213c7a37

SHA512
052562d86a1f4ba10d0fcb6960a92552d3fd71bb7caa43099c0430067ade140f1276c8904ee51bb367250ec389c435823a75314f25ceedfaeb1cde0e1ddc64c6

Download Submit
C:\Windows\SysWOW64\okhdzbcmxbjrs.exe

Filesize
229KB

MD5
e8c60b4bb9752a7c584fb56b02be35e3

SHA1
a5b83ca24d60c7cb563d5601606c2890b3a47d8b

SHA256
8cdfeffa410fa188eb74230273901d6c914bf79003aeebe3ea5372ae418b44dd

SHA512
1211dfe9d7b9159e647a86817a05a4a939de2b993b673d9d4549414c32d1c853c2de25f6494a351f160b0b0d4ec24ec6a18057624a743afa81b05dff2417521d

Download Submit
C:\Windows\SysWOW64\okhdzbcmxbjrs.exe

Filesize
335KB

MD5
25bda12fdc10d4ea7257c630664e9a62

SHA1
39061db2b5c4d1431f8e59b109800b89e36cccad

SHA256
17dd4854107c8d8093e36904f31de266258f4e9f38064a49265aac2c5cdee02c

SHA512
89cd4ac7d8dd493ec0e4eab39ec5c0b40b3bb2e59335cf3357903058a5e1e4b3f52065492d6095689c577d471fe0918fa610932da21ea9594f95ca748df37627

Download Submit
C:\Windows\SysWOW64\tazayyfirmzjvvs.exe

Filesize
298KB

MD5
0069f9afc99a96a6465a7888e22fec30

SHA1
4b70428a9a2f4a350f3afca1ddf03c46654de4d4

SHA256
3b32d96eca3d05dbcc84272fa197d8bb7bf5efe83970ead616f3edb6d3f46590

SHA512
8755774ad302383b10a5b04f6c439c77721422fb07fe7693b6db520c93db3f51c26b5688d7ed799965eb05cfda424f9870e1d50958c72368e07c6f0e9fdb38b9

Download Submit
C:\Windows\SysWOW64\tazayyfirmzjvvs.exe

Filesize
285KB

MD5
b733c2f4908f23a220b4a4035c86cbae

SHA1
24d0d77ac85b12e2efb4c4682de3e046d827b42a

SHA256
7813d25b14331bd434716c5da504fbad432f21a37c0e6fb0bf498851b0880025

SHA512
d4e5697ee3a04e78374389898cd37988e9cc41c3551ede974812f553467c07f38bd87e1b0abd6fba833474c49d1a389c48c70f46450112f26e76d8f9e757b52d

Download Submit
C:\Windows\SysWOW64\tazayyfirmzjvvs.exe

Filesize
415KB

MD5
e5cf34071856d346dd8db0d9793bd5f8

SHA1
1a359f7fc8dacab1bc655afeb8b97ab0521c6173

SHA256
672d48db151cb26b0eef3ef5075e995d524d96e21e3d89ddbfe27bdc39d73aa0

SHA512
91c90447799663edb31d00a62748b37e18f001c93a560d3dd2ca64de3215854cd89c3636fe5ac674aba4b520562e2d31ba7d8a171c0692b59791ecea9e48f9d9

Download Submit
C:\Windows\SysWOW64\vmqtyftf.exe

Filesize
339KB

MD5
c0e70a087d01104d30cd7b1c39199461

SHA1
b506bdfd8e9392cf89881d34555115d8621fdeb8

SHA256
07b43f5961230801cea39edc73eeb6778504a9c86cca2aeafdf514fd37255d6e

SHA512
76d2b76c53e6350ebfc21f187a108e873266529274afcb135800b0c8f6107bb3e0ded060b972111bf6912f68ce6027c7bd856f37075a4c910f3b65f6989c3a72

Download Submit
C:\Windows\SysWOW64\vmqtyftf.exe

Filesize
307KB

MD5
4b95bb1454eb64505e87c10d2801a135

SHA1
8677bbfbb82f5ca84e5ca830c6c0b5ebc781c20a

SHA256
ed801f01ee87246d96b14c62700f7e1c9866375ac4699d83b4f41419c2bfee7a

SHA512
7d1a1f373aea96650e6a926e50026190e859de55775920818385b20fb55d15a3079287e7040bf4d9ae3a26609f81d2ea1fb2de6a15381cff38e1a6d852bd961e

Download Submit
C:\Windows\SysWOW64\vmqtyftf.exe

Filesize
351KB

MD5
f2d4e425e2d51ff1cabf402076d31cdd

SHA1
4ccdf64baf4fb772f453955c2135ca6942b935ed

SHA256
adc25137cf86e472a241df4db3856933f0f0b628a081c94bdedd81a011aa10e8

SHA512
fd13cd7b669f777acfbacb130382b90ef3a51222469297f75bbcdde7ce868886d33329fa3f690d5684857d4ae3ec8c8e86b189f5869b85876fe73d0b0a965121

Download Submit
C:\Windows\mydoc.rtf

Filesize
223B

MD5
06604e5941c126e2e7be02c5cd9f62ec

SHA1
4eb9fdf8ff4e1e539236002bd363b82c8f8930e1

SHA256
85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2

SHA512
803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

Download Submit
\Windows\SysWOW64\fdrsqlnvox.exe

Filesize
303KB

MD5
4620f9d0c07a292f4bff8788f5f89393

SHA1
1c5108428347ba0d3ac0d10a506f20feb2177180

SHA256
cd7215bb27db8f22ff89fba126955412ffc65d3f3eeab2ebe362efdb5269f9ec

SHA512
054060695d2af4086d560402aaee2387c9f94eb0948cb3140fe4a0e199e115f23a3330edfd835ae2ae3763ba6d0f8ca8258e1dc4b3e87f91695f5586ee79524d

Download Submit
\Windows\SysWOW64\okhdzbcmxbjrs.exe

Filesize
343KB

MD5
1535b172c57a5918d53828efe65315a5

SHA1
b4e0ef3b718371f411441d11adcc62abd927b353

SHA256
bc6e1a7f565aee1c195b8dba0fc55a81111010c2e1f3a426385809a584006fb8

SHA512
03d304a9e02d69fb8af68f77dfb089d29b00502492967efd1343813fae65e48156b9ae0e6fc9210437da49a3e93db3382e6e1d3ec89d2a9bd0428fb9f2a5b393

Download Submit
\Windows\SysWOW64\tazayyfirmzjvvs.exe

Filesize
360KB

MD5
8df729a0da84f074312edabeb348f436

SHA1
4483dd0dc8e756411e759259903dc7bda83d93a3

SHA256
f88dd4f1c33fb40614932a22f00ffacfc4d83cd7b0a7511e32a8c8121d9129d9

SHA512
b64f28594fcbada9aa9606d9a5160d5eee3d4c0a1fb86263128b4d4d81a6bc193ba64e7c0b8a33311e74d74edc2c6ad8625dafd0398523e6e36b31592153306b

Download Submit
\Windows\SysWOW64\vmqtyftf.exe

Filesize
262KB

MD5
e30a37024d0722a99b827d1bb1d0695c

SHA1
1ede425d98b9996bdea1bb97d22a9fde3317d093

SHA256
96c20b859dc39ecca6eec50023e94f235e77fffe0a6d79a8e75f7dea1c0a56a2

SHA512
5e1d909ce9bd8d85d724677a12c5ef0c26a7c2d5b335f42bcc9d68b36e5df2244aa46a4172ffbf3db1cd9d532502e5f3cca8a861f68f6a00fc29cc53bc58f04d

Download Submit
\Windows\SysWOW64\vmqtyftf.exe

Filesize
264KB

MD5
ff236b8231541a8a931e5d7256183657

SHA1
2ca1ebdbc394abe35989aaed652500896bcff6dd

SHA256
9e613e5d2113731845b54144c8f43ea6478dae1a7b1b932bd4ed53b6615c2c52

SHA512
a792a44e91857aa7caba34dbfbc02b605c881955813e392f9d26b25bdfbae850fecb2899ec1470029f78ae5f22958563e612ddc0d376fd93afedc67a83781b12

Download Submit
memory/1068-0-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/2712-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2712-47-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2712-45-0x000000002FDF1000-0x000000002FDF2000-memory.dmp

Filesize
4KB

Download
memory/2712-78-0x0000000070B0D000-0x0000000070B18000-memory.dmp

Filesize
44KB

Download
memory/2712-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download