Malware Analysis Report

2025-08-10 22:51

Sample ID 240107-x2m2saccgn
Target a85144a2c4ed68d0e7ecfd200d018c4a.exe
SHA256 d97b2ec5c1969d1c1704ffbf8bb9e36dac57545d353a61ad73c36d48607727c6
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d97b2ec5c1969d1c1704ffbf8bb9e36dac57545d353a61ad73c36d48607727c6

Threat Level: Known bad

The file a85144a2c4ed68d0e7ecfd200d018c4a.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Disables RegEdit via registry modification

Modifies Installed Components in the registry

Windows security modification

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks processor information in registry

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:21

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:24

Platform

win7-20231215-en

Max time kernel

151s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\qzusjhsssd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\qzusjhsssd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qmiqvpfw = "ncedgklqyxzgccp.exe" C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "lhbzrpngxepik.exe" C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ifkmukfw = "qzusjhsssd.exe" C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hdohbyux.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\qzusjhsssd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lhbzrpngxepik.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\qzusjhsssd.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File created C:\Windows\SysWOW64\hdohbyux.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\hdohbyux.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\lhbzrpngxepik.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\qzusjhsssd.exe N/A
File created C:\Windows\SysWOW64\qzusjhsssd.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File created C:\Windows\SysWOW64\ncedgklqyxzgccp.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\ncedgklqyxzgccp.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hdohbyux.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hdohbyux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABBFACEF913F1E2830C3B4A86973E90B3FD03FC4262033EE1CD429C09D1" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFDFF8F485D821B9041D65C7DE2BD95E643594266476337D79F" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\qzusjhsssd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\ncedgklqyxzgccp.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\qzusjhsssd.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\lhbzrpngxepik.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\SysWOW64\hdohbyux.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\qzusjhsssd.exe
PID 1904 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\qzusjhsssd.exe
PID 1904 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\qzusjhsssd.exe
PID 1904 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\qzusjhsssd.exe
PID 1904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\ncedgklqyxzgccp.exe
PID 1904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\ncedgklqyxzgccp.exe
PID 1904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\ncedgklqyxzgccp.exe
PID 1904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\ncedgklqyxzgccp.exe
PID 1904 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 1904 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 1904 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 1904 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 1904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\lhbzrpngxepik.exe
PID 1904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\lhbzrpngxepik.exe
PID 1904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\lhbzrpngxepik.exe
PID 1904 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\lhbzrpngxepik.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\SysWOW64\qzusjhsssd.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\SysWOW64\qzusjhsssd.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\SysWOW64\qzusjhsssd.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 2848 wrote to memory of 2592 N/A C:\Windows\SysWOW64\qzusjhsssd.exe C:\Windows\SysWOW64\hdohbyux.exe
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1904 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2548 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2548 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2548 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2548 wrote to memory of 1448 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe

"C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe"

C:\Windows\SysWOW64\qzusjhsssd.exe

qzusjhsssd.exe

C:\Windows\SysWOW64\ncedgklqyxzgccp.exe

ncedgklqyxzgccp.exe

C:\Windows\SysWOW64\hdohbyux.exe

hdohbyux.exe

C:\Windows\SysWOW64\lhbzrpngxepik.exe

lhbzrpngxepik.exe

C:\Windows\SysWOW64\hdohbyux.exe

C:\Windows\system32\hdohbyux.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1904-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\hdohbyux.exe

MD5 82705f0dc5ebf694ba61227335377421
SHA1 df318424b343dd724321be90dd09d98ab2dbc40d
SHA256 8e8a5b2f059c967c5a903fa7fb74dea454aa17913ff7ba55b892af5a9155e759
SHA512 1f1ffc995a4b2d3e81c75880a4452af6970373892ed317b4c18c78d86807b6bc43ba71cf6c80264a2c80e065ca155343fd77e0089d6e0281b0caefcec9276cea

\Windows\SysWOW64\qzusjhsssd.exe

MD5 4a27a8437e9cb97352373150b0a686fe
SHA1 65e96fa6c3d81ca25a698112cc12574983e9a9ff
SHA256 222f4a0ff98c18dcf36651666128fcc0d9a389e003387fb0e8e112ef67373fad
SHA512 511653a39416d16ec76418a5eb939680a690d3818d3f5a4fffcaba4bf1fc4cb0d2bba280494ed7e34ca6e4ae52906af524a13979da40c9e3c4a70f620995bb4e

C:\Windows\SysWOW64\ncedgklqyxzgccp.exe

MD5 48d479463d3b366c2074058b3c64f98b
SHA1 60bc43533f3c96c2d99b251b4ce7c436494656ef
SHA256 536072d51d699474d3375a8a213088d18ed6c47a35a0603a739e39e33c08844d
SHA512 c436d78ba6348d6c0dfad51371f78bbcca01cb28a4f9b02d5bbfb217f58558742723684038054648dd147ba93ecf146803230a5cb8241854bc742e593960d4ca

C:\Windows\SysWOW64\lhbzrpngxepik.exe

MD5 4c52a7a48dead386ad735c2fff0cfaac
SHA1 0b235dd2a2b4ec68d89b4cc75be02a8cac4589bf
SHA256 6a9af4623df9388484fdbfd282f99328f44921110118cd2124e1f0805db92888
SHA512 7a4b61d55d14d840bfd27d6d2f3423e3035bfa426eb882ff96bc6f95aafcf23e99a8c38009374cfdcb4751bac252becf75ecc696737bbf27be549e8bf51bd27e

memory/2548-45-0x000000002F7C1000-0x000000002F7C2000-memory.dmp

memory/2548-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2548-47-0x000000007170D000-0x0000000071718000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 f988d763525d74ce35c7ccf583353909
SHA1 6b02fa1fff3f10ae34ecc738c1e56b4cb1042319
SHA256 2cc2e4d33414ba7ceb26674611216cd9b9bbbc1e1c0968f5840aeef6e9ae4c52
SHA512 534cf976c52537bc2f831173e4386c49d55bb46f84b330547f723c816c33ee9fe45afb741c6d5a096c8b9c7661aa6a9f8580b14c57eb712dbb800a594b2da98b

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 64a232f106255fded44a1777cc13bcc2
SHA1 ab40aa6786afb9e04dc42b5bba5e7864b339de89
SHA256 e33b2ffa5fe5cfe2e3e7d9ece7301f0f4d26ac824770fca171d5ef187bf57972
SHA512 be8eca3471bdf863a61d7defd33738aa63eb06c2ebae3ed43e40d53e1a60e14f048a07bf6e8028b0808acbe572c9ccf1cae58204b64627578552f4bc7428d8c9

C:\Users\Admin\Documents\ReadMeasure.doc.exe

MD5 a1c20c24e932dcc8fd5cc425a7b0d112
SHA1 682f91ef978c1fa515359623b312c6cca7b5cd9e
SHA256 7c49364b25544858883ab52712fac2aeba2dbcfdcf3bcb8382e4439588a4b98d
SHA512 21eedfe32eee05ec99b5dd6b83a42f274d4bf3564b40f90f919471fb4601ffcd2fb09cd41647e0ce4afe2d7741155a86f3e8cedf75e7acf37398591c891fae2d

memory/2236-87-0x0000000003C30000-0x0000000003C31000-memory.dmp

memory/2548-89-0x000000007170D000-0x0000000071718000-memory.dmp

memory/2236-91-0x0000000003C30000-0x0000000003C31000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:21

Reported

2024-01-07 19:23

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rfxffjhl = "mgprebzqzivoevw.exe" C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "euknqqypysmqx.exe" C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tkvocqjc = "gicqfnthwk.exe" C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\djdgljti.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\gicqfnthwk.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\mgprebzqzivoevw.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\mgprebzqzivoevw.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\gicqfnthwk.exe N/A
File created C:\Windows\SysWOW64\gicqfnthwk.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\gicqfnthwk.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File created C:\Windows\SysWOW64\djdgljti.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\djdgljti.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File created C:\Windows\SysWOW64\euknqqypysmqx.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\SysWOW64\euknqqypysmqx.exe C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\djdgljti.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\djdgljti.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\djdgljti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FC82482B851F9040D65F7E9CBC94E64058446733623FD69C" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C60C1493DAC4B8B97C97ED9634BE" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33442C089C5182276A4376A577222CD67CF264AD" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F56BC5FF1D21AED273D1D68A089110" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AB8FACAFE14F2E083753B4381EA3E90B3FC02FD42150349E1CB45E609D4" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B1204795399E53B9BAA733EAD7CF" C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\gicqfnthwk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\gicqfnthwk.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\gicqfnthwk.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\djdgljti.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\euknqqypysmqx.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A
N/A N/A C:\Windows\SysWOW64\mgprebzqzivoevw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\gicqfnthwk.exe
PID 3052 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\gicqfnthwk.exe
PID 3052 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\gicqfnthwk.exe
PID 3052 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\mgprebzqzivoevw.exe
PID 3052 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\mgprebzqzivoevw.exe
PID 3052 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\mgprebzqzivoevw.exe
PID 3052 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\djdgljti.exe
PID 3052 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\djdgljti.exe
PID 3052 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\djdgljti.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\euknqqypysmqx.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\euknqqypysmqx.exe
PID 3052 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Windows\SysWOW64\euknqqypysmqx.exe
PID 4688 wrote to memory of 2964 N/A C:\Windows\SysWOW64\gicqfnthwk.exe C:\Windows\SysWOW64\djdgljti.exe
PID 4688 wrote to memory of 2964 N/A C:\Windows\SysWOW64\gicqfnthwk.exe C:\Windows\SysWOW64\djdgljti.exe
PID 4688 wrote to memory of 2964 N/A C:\Windows\SysWOW64\gicqfnthwk.exe C:\Windows\SysWOW64\djdgljti.exe
PID 3052 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3052 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe

"C:\Users\Admin\AppData\Local\Temp\a85144a2c4ed68d0e7ecfd200d018c4a.exe"

C:\Windows\SysWOW64\gicqfnthwk.exe

gicqfnthwk.exe

C:\Windows\SysWOW64\euknqqypysmqx.exe

euknqqypysmqx.exe

C:\Windows\SysWOW64\djdgljti.exe

djdgljti.exe

C:\Windows\SysWOW64\mgprebzqzivoevw.exe

mgprebzqzivoevw.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\djdgljti.exe

C:\Windows\system32\djdgljti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/3052-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\mgprebzqzivoevw.exe

MD5 b9b1c58a708dea18b6b590848c98e344
SHA1 2e0fb6b0bb17be5a4f872b30e92fdfe8c1b4e924
SHA256 837469df3c12c204c1bafd6e5095fe5992663f23e7691b5e7ea722c905d6f6d4
SHA512 2321b04050aec4c958477e53062f22bd5609b4a9df610811d1471536ba9a4bf394f49252c8c2d9ef4074c171fb296298b528006a850a4d627129cf95281ed02d

C:\Windows\SysWOW64\gicqfnthwk.exe

MD5 53f2b30196288d450883c0ea994c9757
SHA1 5301cb14720838cecc31c7c1d6519b2fbbdb216b
SHA256 52eefeb04689c004a59ed5499cc5d81bad16315da15e04101b966cac4a8068f9
SHA512 cf55c5e972f22357f8b8ba11c93939d81f3e7a86ae5664f55928ff5ad2fb27b27effd43a6e2da2e1846d266f27eb666b54a5f0ad4a7885b7733ea477c5b844f6

C:\Windows\SysWOW64\mgprebzqzivoevw.exe

MD5 1604295f37366f462b98320544ba7c0f
SHA1 ff229916c326614fdbd2717b3a7108b0a84da6a2
SHA256 5636ac611065dc7e30bad34ec872f05a4d20308104d2a463276096a16857228d
SHA512 798e1a04c8e3639b7efd713ebd168cd1b7e66acc0d7e327a29643467c0a3f03c74750d678bd4846aae50ec839cf5916ba7141d17cbaba88eb833a48dbe09f969

C:\Windows\SysWOW64\mgprebzqzivoevw.exe

MD5 7f0eb36fa729254c94d00d3891e66fc5
SHA1 9e4c499e34bd47c8d858bd043c7cdf1e589dc7f4
SHA256 3ea8403a506b913c99202753d6b17c5dc7ae8b33ba587cacd7a40e5a9d94d8af
SHA512 3d8d66b6d812e9ae960883533ff6751d2ce8f005e2c5ae8d7b9e6b997da8a426fd2b4d8737707363dde79b02b0ee5c228f2d0cb422d15fa526c61c060c7e90f7

C:\Windows\SysWOW64\djdgljti.exe

MD5 3a81a11124e256ccf1aa17d99f5d87b1
SHA1 cb9eb79d3b0f96f17a3c69c6ffc8f5c39cad138e
SHA256 21f3e387caa9001c9d6244dda8db5b40a5bb74c07643f85753f08cae44b04566
SHA512 d7bf56829ec9647c5a21a45d7bc53f12be7e470f13ab802f1de6b83d71ff6afdb8cfe81ad26f94846a8fdc9d1ece4ce13b99883a5c25bcabae1e64f8bd046c22

C:\Windows\SysWOW64\euknqqypysmqx.exe

MD5 88428070f54083ed7c9eb62c09bfa146
SHA1 e624a26fa6669a1cc9dbf038b3531f6a22c46e26
SHA256 8167e3d3a94dc5d797285767dd447be371d07adc110d6551318ad2a9d77ce221
SHA512 d14edc5ad9a9b8ad3df9e1d36cb0bd40c4981a45f82f104a426238d23e32d96fb6fc4aae67b14e1e9fcccc52a0966b9635d65077efc9aa57853d485b46b4b3a6

C:\Windows\SysWOW64\euknqqypysmqx.exe

MD5 1ff9516954b686ea8a8bd388ff33e7c1
SHA1 b6372136b7dbe8357d0f7947abb638962ff46ddd
SHA256 9e015bb5b813665110cb96eb31298bd9e86cd98096d98a1625f0d63fd9e8e791
SHA512 f201d4d0652e8cdaca50d0ed700c8d166bac7bb57c08dd7bfcbbc6dca82a2167b9858433046b33b7428d5dccf83401f8fc300168320f4929dcaf37e75de79dc3

C:\Windows\SysWOW64\djdgljti.exe

MD5 26d0fe90522a5aa9d4386aff8286ae92
SHA1 87c05bbc00b45895773aedb30993b4e44d753f3d
SHA256 50eacaf6993684060002d40b24091a3d11c31e47009d645406801fc8bbdaa3db
SHA512 d65479998703a01128cc37896c8cac711e397840dbee31e255c189c4b3b7559e9e3085e11a4e0e2d439ad6b16932b7a0f15f5a488ce9b664e7cec6b517a1e825

C:\Windows\SysWOW64\gicqfnthwk.exe

MD5 41c0170c2999b3b0e062a5f93a3adedc
SHA1 219558a479fc736a2df946baba3ba9f804d8a8b7
SHA256 f095077e34b1ae477d9cbfc33175f04de1e209c81410e7f22e05a882ae797947
SHA512 aebf2ae985c386f03ccb09cac37de1edb5899108837c0c508c9674beaf27d620ab3bce04ce9d1438e6bb675fbb16b9c81de27e0b39e3c1fb74d7c8b28b62a5ff

C:\Windows\SysWOW64\djdgljti.exe

MD5 d0d6227e3eff5309d000e366b5063a77
SHA1 cd72500fe9e67e69980b8353c1746b1ac952a1b9
SHA256 0dfaa5a941f32997e3d511a6f84ede24ee4ead6f5c1689b9087861959ba236eb
SHA512 1d4391f94f862d5c240690dbe4bc0851d7a12ad479e1d0b545bab786ccfe90df465a57e4b3d10300741a7b221b0b8027bbc8c63f6ad2d5a4e71b1525279e6f49

memory/3916-40-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-43-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-45-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-46-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-47-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-48-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-49-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-52-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-53-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-55-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-54-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-56-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

memory/3916-57-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-59-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-60-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-58-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-51-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-50-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

memory/3916-44-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-42-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-41-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-39-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-38-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-37-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 361ba5cdfe246f4303b0a1638e0daf43
SHA1 eced7199b1af3c8e92209a68cb9a925ff3f369a3
SHA256 507143acb38e64408d03a0dd98e16bd34ca557294c466ae8ec9c7c763eb3a2a5
SHA512 81b9d124396d138717aea4dc71cec59426a3b65b47eaa0d13523adf030c5e3df9fa670ed48f7634d0301812d4b546dd43bc5bf863b58112570a2ab049bc7ab54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 1e50bfc02441e517e2262d5c27fce820
SHA1 86e302f0e61eb59eb9872dfed44d15a102d43b79
SHA256 495502d8f40d1dc21d6705dc8ff834977782d08a0f3b2698fba33c72a4e8b257
SHA512 3cd2ed038e112c73e98b0ab34a17b6284bf83a2626a75696ab4ffe8fee3b9b0f73715e33d6255c42719f95743907e766e033862a523b7e142ec2f89eba8be7ca

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f2afa840fd40cf402aa9eca9ea811871
SHA1 4efd5205f1427af6cfe16744f9700e0d34148f32
SHA256 60b8dc3bf0a75646391067af6fe6376e64d4c057f31c264bf0eaf82bf765a40f
SHA512 ab744e17dc2cd18b8cda7ae2cedd8ecc43f29a82a85ac0dafcd62849604131df1db3bd0c36a7c2d74a9b963abed72f43acb3055bc0f13fd2e5096088044427ca

\??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 551ffe1d933a2b0ca0e02270a9cb2db8
SHA1 c499d5d6d98bbb25b00d5eec4d1a2e2b43cf45fd
SHA256 4b4b30994da91e065c432839e6107e7aa3960ef7963819d94f5252e0517dc1ca
SHA512 89cf6db24a5a4fefef8befc571447629ec9f68071c317fc315b138cc0b24f143ccd6870f120081bb8d0c1dc1241f64d9a3f29bc0de5a430b626ae48dfe899982

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 af529ad6e25b578e54ba7e001d79c1e7
SHA1 e9a459e17a5703dc0b9e5b1df0c67b5ffd5c1548
SHA256 b7a6830fe942cdf68669b3421c87ae5e1cf0233671e41f19dbd228450db01ce7
SHA512 7c0f497ff31d1ebd072c56f210ce97e2b3036d474b0d16a21770bc6491503994af529fb23df6e0b4c5a78f6e19d4d70580ec2df39db1834a85986411f1f9ec55

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 b8ca5d41918be0a332ce0ba3ee0b2891
SHA1 ec82eae7f1fc69198a06c55d9132a57eec5c3dfb
SHA256 f0e0b0c74e46bc8cc0368f053f213a86f5e72d9a99455280d1630142807cfcb7
SHA512 2bdfc8ffd274da47c324e13faacb3316787bb0369f6922c3b8ac339ddd93101dbed1c10e4ba09788184904f0ccbeefa99047e3e32c81507bdee419e8e201ed31

memory/3916-102-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-124-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-125-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-126-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-127-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3916-129-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-128-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3916-130-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp