Malware Analysis Report

2025-08-10 22:52

Sample ID 240107-x2d4waccfk
Target ad7a5d13335355b29d8ea0f3f2878aa4.exe
SHA256 b262b9df3885d2b65839220bf0ff28ac8f889859fd056371a8435c31e84d2f7c
Tags
evasion persistence trojan spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b262b9df3885d2b65839220bf0ff28ac8f889859fd056371a8435c31e84d2f7c

Threat Level: Known bad

The file ad7a5d13335355b29d8ea0f3f2878aa4.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence trojan spyware stealer

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Loads dropped DLL

Checks computer location settings

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win7-20231129-en

Max time kernel

0s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\sedqhxonze.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sedqhxonze.exe N/A
N/A N/A C:\Windows\SysWOW64\spglagvmteyzxqc.exe N/A
N/A N/A C:\Windows\SysWOW64\jnhdippi.exe N/A
N/A N/A C:\Windows\SysWOW64\isctssvucdjfd.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sedqhxonze.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\sedqhxonze.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jnhdippi.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\isctssvucdjfd.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\isctssvucdjfd.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\sedqhxonze.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\sedqhxonze.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\spglagvmteyzxqc.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\spglagvmteyzxqc.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\jnhdippi.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC1B15D47E6399F53BEB9D233EED7CF" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FCFF485A826E9042D65D7E93BC93E131594367366341D790" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\sedqhxonze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDF9CBF96AF195830E3B46819D39E3B38B02F142610233E2BD459A08A9" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C7D9C2D82276A3477A770522CA97C8464DC" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7F668C4FE6A22DCD27AD0A48A7F9167" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1948C70C14E5DBC3B8BC7FE6ED9434CC" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\sedqhxonze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\sedqhxonze.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\sedqhxonze.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\sedqhxonze.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\sedqhxonze.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\sedqhxonze.exe
PID 2044 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\sedqhxonze.exe
PID 2044 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\sedqhxonze.exe
PID 2044 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\sedqhxonze.exe
PID 2044 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\spglagvmteyzxqc.exe
PID 2044 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\spglagvmteyzxqc.exe
PID 2044 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\spglagvmteyzxqc.exe
PID 2044 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\spglagvmteyzxqc.exe
PID 2044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\jnhdippi.exe
PID 2044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\jnhdippi.exe
PID 2044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\jnhdippi.exe
PID 2044 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\jnhdippi.exe
PID 2044 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\isctssvucdjfd.exe
PID 2044 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\isctssvucdjfd.exe
PID 2044 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\isctssvucdjfd.exe
PID 2044 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\isctssvucdjfd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe

"C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"

C:\Windows\SysWOW64\sedqhxonze.exe

sedqhxonze.exe

C:\Windows\SysWOW64\spglagvmteyzxqc.exe

spglagvmteyzxqc.exe

C:\Windows\SysWOW64\jnhdippi.exe

C:\Windows\system32\jnhdippi.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\isctssvucdjfd.exe

isctssvucdjfd.exe

C:\Windows\SysWOW64\jnhdippi.exe

jnhdippi.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2044-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\jnhdippi.exe

MD5 0a0846a1b1d06361151ab94d05d5c6c8
SHA1 b3c00db5280d830046a2b1dcdec7a5c82e132186
SHA256 617d0f092af9a0bf7ad4696060e5a867439ce896183dd11b1d539e2ae8acc7fe
SHA512 a9315851ee6de995af605dfe0cca5b0df02db05690964398eb0dcf1c47beb36d898f23fd2eef91ff4e4a23b5fc4d4edccf50b60a185a4eb4af8e9af612270712

\Windows\SysWOW64\sedqhxonze.exe

MD5 16876a7b264d720366fa0d8072cbbfc9
SHA1 66bc7200cc412fadbcba03e3123f90cf44ca36de
SHA256 8570de4fc971cb1c0e13b2841bff4491a489e032903499c675c35a82e101918e
SHA512 d5e43e5e406e7a682ac67615a98a785f9bd18fad1b240c9128471cc736f6ccd081194d02842a315026299673c70642f0d10b346f8094cc88edd2af06228cf0b7

C:\Windows\SysWOW64\jnhdippi.exe

MD5 6662b185f19fbf697c56a25c92de7961
SHA1 0df0c0df0de3724258df2549c583e3c934aca726
SHA256 c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512 c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

memory/2508-45-0x000000002F5E1000-0x000000002F5E2000-memory.dmp

\Windows\SysWOW64\isctssvucdjfd.exe

MD5 7546625059e6afddb354e2b79d02b5b8
SHA1 aa9ba8bbeec815758d027df42d661c9660d0785f
SHA256 03547ea2fad82b0b3762261f0e9fa06ee88516bdde6d15184807bb4f4bc22919
SHA512 0f91352d7d3d962cb80c3514b96bd08dee1a88aa028ca3dd6e94ec0e89b9df48d78b25cf843f7b0f333ca4033cab4eca4d98993e71980d8c45ebfd42e5375bc2

memory/2508-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2508-47-0x0000000070AFD000-0x0000000070B08000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Windows\SysWOW64\spglagvmteyzxqc.exe

MD5 9a7addefe11d860d9355f1ed0d8f80ab
SHA1 c4dab3ed23731d35edfed17a0c1baa074325644e
SHA256 acac40a4f7d7cce42f30c2dcc0b443dce599a1497d6d1dfd1dea1919707b2996
SHA512 842e89a8cd2b22268c2815d3c022c30ba762b68d6038270d0aad13a7506ccb7c5ab767a5b48a22912a95d3e69b6a3f375725895e0c84c549f0f1299728fa365b

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2508-74-0x0000000070AFD000-0x0000000070B08000-memory.dmp

memory/2508-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 0cea8562c1c8813e310c831c969d6a4f
SHA1 d7e3119723a1694161d86ce09a6f752689af236c
SHA256 83aaa2f7964c5b15ca14002033e4d746bcaff93196a2883b114df9a4066561fd
SHA512 eb7f1791ebe5d32ab05759323cf77a46aa6ef2ef7797b77f170279455d1e2196251036ed9bd75c33869583c1297b3f9aab2371ff5960932f6770394f98853664

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lhzxvpnp = "gqzqinqdqd.exe" C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwwhhugt = "wcnbisjoosnvjok.exe" C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "wsvqayhbxpmrs.exe" C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tmizluxt.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gqzqinqdqd.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\wcnbisjoosnvjok.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\tmizluxt.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created C:\Windows\SysWOW64\wsvqayhbxpmrs.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created C:\Windows\SysWOW64\gqzqinqdqd.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\wcnbisjoosnvjok.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\tmizluxt.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification C:\Windows\SysWOW64\wsvqayhbxpmrs.exe C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\tmizluxt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\tmizluxt.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442D799D2382276A3576A577272CDA7C8F64DD" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8FFCFF4F2682699140D62E7D9DBDEFE643584767336245D6EE" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7FD6BC4FF6E22D0D109D1D58A0C906A" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C70F14E5DAB3B8CC7FE1EDE037CD" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BC9FACEF963F1E083793A4286EA39E5B080038C4366023FE1C442EF08A1" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB0B15C47E738E853B9B9D7339DD4BB" C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\gqzqinqdqd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\gqzqinqdqd.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wcnbisjoosnvjok.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\wsvqayhbxpmrs.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A
N/A N/A C:\Windows\SysWOW64\tmizluxt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4608 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\gqzqinqdqd.exe
PID 4608 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\gqzqinqdqd.exe
PID 4608 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\gqzqinqdqd.exe
PID 4608 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\wcnbisjoosnvjok.exe
PID 4608 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\wcnbisjoosnvjok.exe
PID 4608 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\wcnbisjoosnvjok.exe
PID 4608 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\tmizluxt.exe
PID 4608 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\tmizluxt.exe
PID 4608 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\tmizluxt.exe
PID 4608 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\wsvqayhbxpmrs.exe
PID 4608 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\wsvqayhbxpmrs.exe
PID 4608 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Windows\SysWOW64\wsvqayhbxpmrs.exe
PID 4608 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4608 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3752 wrote to memory of 3636 N/A C:\Windows\SysWOW64\gqzqinqdqd.exe C:\Windows\SysWOW64\tmizluxt.exe
PID 3752 wrote to memory of 3636 N/A C:\Windows\SysWOW64\gqzqinqdqd.exe C:\Windows\SysWOW64\tmizluxt.exe
PID 3752 wrote to memory of 3636 N/A C:\Windows\SysWOW64\gqzqinqdqd.exe C:\Windows\SysWOW64\tmizluxt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe

"C:\Users\Admin\AppData\Local\Temp\ad7a5d13335355b29d8ea0f3f2878aa4.exe"

C:\Windows\SysWOW64\wsvqayhbxpmrs.exe

wsvqayhbxpmrs.exe

C:\Windows\SysWOW64\tmizluxt.exe

tmizluxt.exe

C:\Windows\SysWOW64\wcnbisjoosnvjok.exe

wcnbisjoosnvjok.exe

C:\Windows\SysWOW64\gqzqinqdqd.exe

gqzqinqdqd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\tmizluxt.exe

C:\Windows\system32\tmizluxt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 66.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 60.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 52.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 54.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4608-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\wcnbisjoosnvjok.exe

MD5 5cb9230da110fa40798b4c745185b376
SHA1 81cecf80440a75643fc7b79dd29062b6d87c138e
SHA256 bbfd13a69c3b8eaa59658025f20bc740d79cf60773df77320ccfc25ead13e826
SHA512 3dd5fa868b484df93a97b9d719f253efa9f492edbfd2615f93696fb6c8d70ef5e024a76c08268178b3546dc7e4a2ba8992392226e299643898a9c9fb1031091e

C:\Windows\SysWOW64\tmizluxt.exe

MD5 49ff501769e0763bf27ac6b86847a48c
SHA1 03133238b46fafec5adcf0c5e7612bb3d2312634
SHA256 2027382551f9760f62a64aea68cf2ae4171c64d212fa26c9df26161e6f577316
SHA512 2686adda404f3712300f5757002339337f0179cea4871a1cc68be780f511f5a8e1db4c8a49f146f49dc75f82039ae32ca84c622a79ccf49259984d0da0887e51

C:\Windows\SysWOW64\gqzqinqdqd.exe

MD5 23b9521bc7d24842b495cf21baa29ce1
SHA1 8fba18fb506f4473b592eb64bc54ce00b4814ae3
SHA256 9c2c80312516456f9813ae48b4e02882649d7683082439a684e95fc10dfc469d
SHA512 2fa7ef0f7e8f85e3dd9ae8481ab870679e2a7a3adfb1e6a98f84802f876e87f45cacf445520e68db356c92a4f1f599a21cbd0ef95a82ced671bfe688b0ee07a6

C:\Windows\SysWOW64\wsvqayhbxpmrs.exe

MD5 31a44be1dd2f6f33477eb77af28ca476
SHA1 6f74d00cad5bd7c68206d73278070862cfda4c27
SHA256 27cc229d6ae60d4cd48eb1d8627480c62213359344ea81f4a39a8fc54af1e11f
SHA512 c049b43c96632ecbbe2f82c78f636c84fbb556fe203dfe28ad509bc4e5aebe8b326b1bf53a2638b83f692bd241d895da4de297546ef287ea6aa7091514409369

C:\Windows\SysWOW64\tmizluxt.exe

MD5 e23e0550840d3bbce4238a85ff66dd66
SHA1 826dc4d5047fb831b5ceac6830e81a9971198a99
SHA256 8743b2f7e4049b0fc704e22b4c7877fd8d79c8adc08258797d3038c37996a627
SHA512 e0b7520af70591a6e6c0f5bc9e65e768167c5e4db67879e7d13a6e91143f7fd90518e4e80c35d0fa51e8f6f1733930d9e831bb1ec98be6d94f8ac5b0d226be28

C:\Windows\SysWOW64\wsvqayhbxpmrs.exe

MD5 beb3abfe318fd7224bd4d8ead9a0ad14
SHA1 2b62646cda6363ffec037a4b9aea8045c98918ca
SHA256 be495a5a52d43289b3ffbd937983917e561fed7ffefcaa8388e938bbbc9ca72b
SHA512 f57674b423dc85cec783bc4d8e4d46e265a8926413174160566fad15b3f178e26d724922a1e4eac235926e0e6620b66642197829258eb17108cf9c2226e1cc90

C:\Windows\SysWOW64\wcnbisjoosnvjok.exe

MD5 d8206d952223cf2581d9b27731c7e9ff
SHA1 f496c3ca153a7d338ffbcd8c2f425bc48b880216
SHA256 be3ce9ac67ab9f3fffd9de9100cc8a13c2fe32c5332bd5318f2bbdf65ba7c4a3
SHA512 dbacc4a8ca8cf845cd7df65531f46d3d5d78077d7a18a26a5be41cf0d16bd3d23a623ded82af87bbeb7588047f4764a0d134c1c8e47aa142c64f5e338e0e10e2

C:\Windows\SysWOW64\wcnbisjoosnvjok.exe

MD5 7df8c5256d041bc939000603dd2d4aa1
SHA1 ca5355e49fa68db316b2cc5acc270c0c88ac1101
SHA256 aaf77108da1e0277d837bb17ae1cc0b175e3d1fccebf03044fda325d38625c4e
SHA512 720f1111b5d8de914045b35560f2abcd6fd454afb97ea931864bb29032eaa13ba7f53c05ed88694e7f46be128343d21a3a6dc85ba41ea00434a9158cb60d31e8

C:\Windows\SysWOW64\gqzqinqdqd.exe

MD5 920164e5b160245e79a61f6b9e62cef2
SHA1 b004182805dea580c40f265ce05650044225d2e4
SHA256 4320304e7f344da51dde1351a9d9572cca81ff9a9e6c1ed1b017b332f3dbc628
SHA512 01b8ab75a2f798b6f5fbb30ceb3b764495523db7e679bac75f69bb95f89af820f081c2afcb534c92332d57c7b456ba0254101152e8266199b4fd5ffacc8e474b

memory/4308-35-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-38-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-41-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

C:\Windows\SysWOW64\tmizluxt.exe

MD5 ac7119d98479f01c9bfe7b2b4f33d2b4
SHA1 f1e198049f8406e78379ced8bfa510f01043787c
SHA256 538493e3081dcaaaa92c8fc1c1a0fab136be1a28f367de7517a35bf56f7efd76
SHA512 677a48220e228e38b969ce9199b463bdcc5e4518b2203efad8e37642b490136b7332bb038168eead4aa199ead874dbb7dcc14c56d178ebce518c30609c1162ed

memory/4308-42-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-47-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-48-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-49-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-46-0x00007FFC16720000-0x00007FFC16730000-memory.dmp

memory/4308-51-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-53-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-55-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-54-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-56-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-58-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-57-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-52-0x00007FFC16720000-0x00007FFC16730000-memory.dmp

memory/4308-50-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-45-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-40-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-39-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-37-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/4308-36-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 0d3ca1b030b66a9a9d3347648e862c61
SHA1 7e0ac945558db2b7a432a8baa5de317fb08da232
SHA256 14247b5171279803a5ebeae38549f0a645eb6c636efdeb8e59803465590480df
SHA512 64b179ba6c60857ee08ac9fcb06f459e33c54da1bb5a78c8ba5e8c82afbf23b897d8edead7ac7fbdbf87f0ce2b1ba788c8ab0fcb49f86b47d9cb7ae126f14eba

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 e7f8ba74bf765e4816d5481f44a20956
SHA1 5a48a0e9a7ff8140bfdcc56847606ce44617d878
SHA256 9a8037de165e021945190de6041275d1a7b6bdc31843abc74908c59514346a8e
SHA512 34fb0e9ad423010910aca5881307ddd2a49ff6354223d432d33fbf2ae6a182a55a008b5e9c5d6c54d07cedc2de283259eced7813dc190fb81f04ecb8fe0fd6c5

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 06b21831e7f153584f88f6c49ae83c42
SHA1 697366a81093018b1cd861e2c8390836edfe1522
SHA256 029acd9f552105643b3921afa539ff77e926f86fbb7886577a75d9eae95db34d
SHA512 f2362ee5f4ca9d0c54d319a9505e0c5d9db1155243d78a6682165c1db278c043f33cded461510f9b3adbcb778b7ff649870b9705b3f6c251f277157e5a504920

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c3ad4835de910c0aab181460cb979f43
SHA1 49923075ba2410e2bbb65a1ba02bd6bc42df1215
SHA256 b11f31e13cae8c56e6b6436fdbfb16eb1ca315c56f8ee1ce49d9e58da11345ee
SHA512 fef3804301559e148604ea0267ec85d5aff6d10281844d599f7538d9c7ed2d0aeee569be2eb54b1148a66df3703d25b11296ee884e3170151b6be0dd9123655a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 39fd004f36123d1c4e277dcd60fcc066
SHA1 372481e709dc6c74a2504e086ac81b15ac00f529
SHA256 296434fe654792d6e726f5cf0094b36a321a6f3ded5ac186eb421efbe83d75e6
SHA512 843eba54e088cb5ba541b18dc3d46ea65283a7fa2cd34734b16d7ad00225e64be8325aef566fc87808c10ed761b20cea5761e0f279ae423982f459b6a3b8cecc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f98aa6545f61acfea1ff51e03055294b
SHA1 ad1d5b5e8ceea107b8217166128e94bd5eb56089
SHA256 9c4e046fae8dffe572a154cf3680f6e77ad8356163fac698fef489b8275662b1
SHA512 9cc6ca8667b3c5c9103b94b5bf65feb26b2a46df28ca8ed18cf69e3784033d1d101208c364ee7a8635be579445b5ca4581e912ae494447c21ced73130de67046

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 09bfd16bd48ef769f36d3c57617fb946
SHA1 5a357dd0ebe77d9eaaee8673022a4d6eb85a0cdb
SHA256 9b75f7d4a47240af78ce5edc68df43855f78b2d055ec248c119916a02a13d763
SHA512 8f5d35220c8b612ad71bb81fac5539f27ac5ad594201e2420bb2968bb42d69338fffc018444165afef59e32668cf9dd955b69c761d4dd1e127b0efec295d891d

memory/4308-107-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp

memory/4308-129-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-130-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-131-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-132-0x00007FFC18DB0000-0x00007FFC18DC0000-memory.dmp

memory/4308-133-0x00007FFC58D30000-0x00007FFC58F25000-memory.dmp