Malware Analysis Report

2025-08-05 17:03

Sample ID 240107-yb9njadfc2
Target a91ea79a692b6b7cdda92c6a588386f8.exe
SHA256 d86d042c8681af6deee373b23f0dc4b3cdcfe4775aa73da1975a7f9ae733fa3a
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d86d042c8681af6deee373b23f0dc4b3cdcfe4775aa73da1975a7f9ae733fa3a

Threat Level: Known bad

The file a91ea79a692b6b7cdda92c6a588386f8.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Windows security modification

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:37

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win7-20231215-en

Max time kernel

151s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\vbrsqvvu = "dupwvtkpgl.exe" C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aovklamq = "sigtwzommipquan.exe" C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "szeauakyzohfa.exe" C:\Windows\SysWOW64\sigtwzommipquan.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\jadatwvj.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dupwvtkpgl.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File created C:\Windows\SysWOW64\sigtwzommipquan.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\sigtwzommipquan.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File created C:\Windows\SysWOW64\jadatwvj.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\jadatwvj.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
File created C:\Windows\SysWOW64\dupwvtkpgl.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File created C:\Windows\SysWOW64\szeauakyzohfa.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\szeauakyzohfa.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\jadatwvj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCDFABDF96AF2E2840C3A4B86ED39E3B0F902FD42680238E2CB429A08A4" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\dupwvtkpgl.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
N/A N/A C:\Windows\SysWOW64\dupwvtkpgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\jadatwvj.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A
N/A N/A C:\Windows\SysWOW64\sigtwzommipquan.exe N/A
N/A N/A C:\Windows\SysWOW64\szeauakyzohfa.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\dupwvtkpgl.exe
PID 1180 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\dupwvtkpgl.exe
PID 1180 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\dupwvtkpgl.exe
PID 1180 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\dupwvtkpgl.exe
PID 1180 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\sigtwzommipquan.exe
PID 1180 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\sigtwzommipquan.exe
PID 1180 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\sigtwzommipquan.exe
PID 1180 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\sigtwzommipquan.exe
PID 1180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1180 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\szeauakyzohfa.exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\szeauakyzohfa.exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\szeauakyzohfa.exe
PID 1180 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\szeauakyzohfa.exe
PID 1312 wrote to memory of 2172 N/A C:\Windows\SysWOW64\dupwvtkpgl.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1312 wrote to memory of 2172 N/A C:\Windows\SysWOW64\dupwvtkpgl.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1312 wrote to memory of 2172 N/A C:\Windows\SysWOW64\dupwvtkpgl.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1312 wrote to memory of 2172 N/A C:\Windows\SysWOW64\dupwvtkpgl.exe C:\Windows\SysWOW64\jadatwvj.exe
PID 1180 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1180 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1180 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1180 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2628 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2628 wrote to memory of 2176 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe

"C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"

C:\Windows\SysWOW64\dupwvtkpgl.exe

dupwvtkpgl.exe

C:\Windows\SysWOW64\sigtwzommipquan.exe

sigtwzommipquan.exe

C:\Windows\SysWOW64\jadatwvj.exe

jadatwvj.exe

C:\Windows\SysWOW64\szeauakyzohfa.exe

szeauakyzohfa.exe

C:\Windows\SysWOW64\jadatwvj.exe

C:\Windows\system32\jadatwvj.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1180-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\sigtwzommipquan.exe

MD5 671d5447bbcc8d8fd781259309c657bb
SHA1 cf9c35705d68952be42d5719e6b22b5d0bef7ba5
SHA256 423bd936ebb93c7c01752cd691737c538731102ddc07d51bf1aeae3c0eb45365
SHA512 8cbe169fac544689c8e815108f7b0ed9ffd314c873590669b6e06d0214e9e011dfd2b4ba0615a4ba87d227445f4ef211020205343d89237eb9355618b78938fc

\Windows\SysWOW64\dupwvtkpgl.exe

MD5 adfa23b90f169f7c82d2ed47ef5ab266
SHA1 5cacfd4c413664fd18f39e9bad4a59fdc59aed03
SHA256 6a54fc65ce0d9abc620ce0afac439fddbda85b7d4573414a29aa0a1e78ae10f2
SHA512 71697e13b5d5baa71fc91ab4e00ed4ba147edf8bcf00c1234849d2c67be1c97f761fa4f856a9b6ebae2290cfac24ae12551687483b59057357e685a7b341a21f

\Windows\SysWOW64\jadatwvj.exe

MD5 bb78b8f8859cdc6ea0616178df9d0c10
SHA1 7f8d7e0906ee5a68cfee55c6dc9f408b406c8f03
SHA256 3c5740c4ed4af7eeac476a83c4ae33dd32ce3ae53ca9ffd5418e996e3145e0c2
SHA512 124f261207cd72a82499d9dcac8a0254d7c8616d723864c59589504607f78d0fb7cfe7d7847e3ee9939eabbc704b6b7ea183a245757b7733b4e2e363c58b0b64

\Windows\SysWOW64\szeauakyzohfa.exe

MD5 390ff42e081bbfc323a0f522d31aee44
SHA1 2d87ee39e5ed9d85180695092bee312f4be81470
SHA256 d302261d61e7f788400a5c16e8b0190b6ab9bec47dc738b1182d5c0f0d949960
SHA512 386d9d2451c6b298d4ffcdb31162c405519f4ad3f5a324e4371e9155728611cd1af444e27bae08d763f7e10b0f3c89a9314a0198c0b4fcedecfcf55de73adc05

memory/2628-45-0x000000002FE31000-0x000000002FE32000-memory.dmp

memory/2628-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2628-47-0x0000000070E3D000-0x0000000070E48000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 6eea7f31a600911c7815ba48142bd2c8
SHA1 b4df559594445dcd6427639984f74f6ab6b12e94
SHA256 95642b59ccd3ec2a3d302340d942795859607ff9441e74992cbe97afa17df9f4
SHA512 51b56c53843447afd4774459cbfd983fc087d29c04c10f92178ef7f9855e9078461a6c094b86a1b983eb7063b0235c5813adc81185b1f87c203918e614d9d256

C:\Users\Admin\Documents\ConvertUnregister.doc.exe

MD5 abf67e55313251022e001a397e96e435
SHA1 c32eabfa28e7ab157644e1b232141f6e3f02b679
SHA256 e70315cf5e3384474eff686b90e8db1e71f7bd0f52eb365cf734a5743387885d
SHA512 659cb8b8dc7dda21514a6fea26b51875bb6474c6f44d2b99eabcce2e162762241efeee43f16855ed2907fb1207d83d500f71624bdfb27cd5f98429b30cc74eb4

memory/2628-82-0x0000000070E3D000-0x0000000070E48000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 73e9f0d4fbad95d409437bd37e431931
SHA1 bce799d523dbe19d3ad15dc0f36bee8b613802ed
SHA256 fea042645b5918f0ab3091e24ce962c4f9b8474dca344b03e960e3b5f4840fde
SHA512 3eec9a6aa6e67ed3f002199a683d79f6a8bff9065b800530a02a04045f02ad5d1011b014ef674d3d689da6b92d6b10f6d862d2e8d49106e6d2aefac0d035b6de

memory/2628-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:37

Reported

2024-01-07 19:40

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wstqftpa = "holcfrgjhz.exe" C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bgzedeah = "byyewlcsjyikndl.exe" C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bnrsoiydnqglt.exe" C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\holcfrgjhz.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\holcfrgjhz.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\holcfrgjhz.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File created C:\Windows\SysWOW64\byyewlcsjyikndl.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\byyewlcsjyikndl.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\qhubutnh.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File created C:\Windows\SysWOW64\qhubutnh.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File created C:\Windows\SysWOW64\bnrsoiydnqglt.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\bnrsoiydnqglt.exe C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qhubutnh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1839C60F1491DABEB8C07CE1ED9F34BA" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F668B6FF1B22D9D209D1D18B79916B" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33322C779C2583256A4377D270212CAD7D8665AA" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACEF9BDFE64F1E5840C3B3686983E92B0FC03FD43610332E1BF429D08A6" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB15B4492399952CBB9D6329BD7CE" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FF894F5D82129137D72E7E9CBD90E13C584667406332D690" C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\holcfrgjhz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\holcfrgjhz.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\holcfrgjhz.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\bnrsoiydnqglt.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\byyewlcsjyikndl.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A
N/A N/A C:\Windows\SysWOW64\qhubutnh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\holcfrgjhz.exe
PID 1120 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\holcfrgjhz.exe
PID 1120 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\holcfrgjhz.exe
PID 1120 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\byyewlcsjyikndl.exe
PID 1120 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\byyewlcsjyikndl.exe
PID 1120 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\byyewlcsjyikndl.exe
PID 1120 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\qhubutnh.exe
PID 1120 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\qhubutnh.exe
PID 1120 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\qhubutnh.exe
PID 1120 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\bnrsoiydnqglt.exe
PID 1120 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\bnrsoiydnqglt.exe
PID 1120 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Windows\SysWOW64\bnrsoiydnqglt.exe
PID 1120 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1120 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 5092 wrote to memory of 2304 N/A C:\Windows\SysWOW64\holcfrgjhz.exe C:\Windows\SysWOW64\qhubutnh.exe
PID 5092 wrote to memory of 2304 N/A C:\Windows\SysWOW64\holcfrgjhz.exe C:\Windows\SysWOW64\qhubutnh.exe
PID 5092 wrote to memory of 2304 N/A C:\Windows\SysWOW64\holcfrgjhz.exe C:\Windows\SysWOW64\qhubutnh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe

"C:\Users\Admin\AppData\Local\Temp\a91ea79a692b6b7cdda92c6a588386f8.exe"

C:\Windows\SysWOW64\holcfrgjhz.exe

holcfrgjhz.exe

C:\Windows\SysWOW64\qhubutnh.exe

qhubutnh.exe

C:\Windows\SysWOW64\bnrsoiydnqglt.exe

bnrsoiydnqglt.exe

C:\Windows\SysWOW64\byyewlcsjyikndl.exe

byyewlcsjyikndl.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\qhubutnh.exe

C:\Windows\system32\qhubutnh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 120.150.79.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 76.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 233.17.178.52.in-addr.arpa udp

Files

memory/1120-0-0x0000000000400000-0x0000000000496000-memory.dmp

memory/3748-38-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-41-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-43-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-45-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-46-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-47-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-48-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-50-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-53-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-54-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-52-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-55-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-51-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

memory/3748-56-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-57-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-49-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-44-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-58-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

memory/3748-42-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-40-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-39-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-37-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-87-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-121-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-122-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-124-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-123-0x00007FFCA6610000-0x00007FFCA6620000-memory.dmp

memory/3748-125-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-126-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp

memory/3748-127-0x00007FFCE6590000-0x00007FFCE6785000-memory.dmp