Malware Analysis Report

2024-10-19 08:26

Sample ID 240125-wbfdkschdk
Target 752018ae89f569d80a8de45e8de1f020
SHA256 ef2d55d039eb1946f31db372da327246ec57ae9288cd23c61cb1ef6a3aca867f
Tags
evasion persistence spyware stealer trojan upx kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef2d55d039eb1946f31db372da327246ec57ae9288cd23c61cb1ef6a3aca867f

Threat Level: Known bad

The file 752018ae89f569d80a8de45e8de1f020 was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan upx kinsing loader

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Kinsing

Disables RegEdit via registry modification

Checks computer location settings

UPX packed file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Windows security modification

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:44

Reported

2024-01-25 17:47

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\igsfxpujah.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\igsfxpujah.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ewcfuzhh = "igsfxpujah.exe" C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccdkcmxm = "kjvltfvlitdfcow.exe" C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "akpxdzjfncrcn.exe" C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\igsfxpujah.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\igsfxpujah.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\igsfxpujah.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\igsfxpujah.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\kjvltfvlitdfcow.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File created C:\Windows\SysWOW64\akpxdzjfncrcn.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\akpxdzjfncrcn.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File created C:\Windows\SysWOW64\igsfxpujah.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File created C:\Windows\SysWOW64\kjvltfvlitdfcow.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File created C:\Windows\SysWOW64\hkpnnnxr.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\hkpnnnxr.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\igsfxpujah.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hkpnnnxr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\igsfxpujah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33352C7F9D5183596D3477D077232CAD7D8F64A8" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\igsfxpujah.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\igsfxpujah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Windows\SysWOW64\igsfxpujah.exe N/A
N/A N/A C:\Windows\SysWOW64\igsfxpujah.exe N/A
N/A N/A C:\Windows\SysWOW64\igsfxpujah.exe N/A
N/A N/A C:\Windows\SysWOW64\igsfxpujah.exe N/A
N/A N/A C:\Windows\SysWOW64\igsfxpujah.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\hkpnnnxr.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A
N/A N/A C:\Windows\SysWOW64\kjvltfvlitdfcow.exe N/A
N/A N/A C:\Windows\SysWOW64\akpxdzjfncrcn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\igsfxpujah.exe
PID 1068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\igsfxpujah.exe
PID 1068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\igsfxpujah.exe
PID 1068 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\igsfxpujah.exe
PID 1068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\kjvltfvlitdfcow.exe
PID 1068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\kjvltfvlitdfcow.exe
PID 1068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\kjvltfvlitdfcow.exe
PID 1068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\kjvltfvlitdfcow.exe
PID 1068 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 1068 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 1068 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 1068 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 1068 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\akpxdzjfncrcn.exe
PID 1068 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\akpxdzjfncrcn.exe
PID 1068 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\akpxdzjfncrcn.exe
PID 1068 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\akpxdzjfncrcn.exe
PID 2720 wrote to memory of 2572 N/A C:\Windows\SysWOW64\igsfxpujah.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 2720 wrote to memory of 2572 N/A C:\Windows\SysWOW64\igsfxpujah.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 2720 wrote to memory of 2572 N/A C:\Windows\SysWOW64\igsfxpujah.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 2720 wrote to memory of 2572 N/A C:\Windows\SysWOW64\igsfxpujah.exe C:\Windows\SysWOW64\hkpnnnxr.exe
PID 1068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1068 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2492 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2492 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2492 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2492 wrote to memory of 1376 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe

"C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe"

C:\Windows\SysWOW64\igsfxpujah.exe

igsfxpujah.exe

C:\Windows\SysWOW64\hkpnnnxr.exe

hkpnnnxr.exe

C:\Windows\SysWOW64\kjvltfvlitdfcow.exe

kjvltfvlitdfcow.exe

C:\Windows\SysWOW64\akpxdzjfncrcn.exe

akpxdzjfncrcn.exe

C:\Windows\SysWOW64\hkpnnnxr.exe

C:\Windows\system32\hkpnnnxr.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1068-0-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\kjvltfvlitdfcow.exe

MD5 f68eededdcda2243b5fceac952373ad9
SHA1 8787712d61bb8bbf634cd1bae191d715b81b0e96
SHA256 a9f5fab89675d47eef4f89dc89ca10fdeae77dd25d7d8a3c333766a5bb45a5ab
SHA512 91701be904920ad846875d1721ab13fe33b8f71a940b22e1e7b691ffcbbef41840c5060f479cfa0f1d76477610a0c1f9c2716ceb5d8e2f3ad1aeb8a9d7e6ca24

\Windows\SysWOW64\igsfxpujah.exe

MD5 8bff23f111136a23903ce3eddda7141c
SHA1 05bfd81c0ba0569f0d30fee9d552ba491a310725
SHA256 d7aaf7e2441d6b8f5ace6c3679cd354520371637b130c4a7cc92d42ee2e1eb47
SHA512 a51b211ce643cd4abfb9a2524ba6271d45bebb8c7c28620eed2eead88abf811090be8cc5c0fcc603fb4e81671d38cd29575eb613c8aac241929e10372cc50889

memory/1068-18-0x0000000003350000-0x00000000033F0000-memory.dmp

C:\Windows\SysWOW64\hkpnnnxr.exe

MD5 46083bc4260dc2333b3273e3299801e4
SHA1 393dbb2479da7cc74c9ba697af0bfc8a716cd548
SHA256 bec54d8a992df314c8d93a1bdb88f0a56059a74ba2080f69faa3b09757ff7c90
SHA512 9358e537f3a87256e72609b4b8ef1ce6f0549690d0742b804d396716956396d648365cfdb434451efbada0b594c1ca684debb907c2adba4d73787a316cba713a

memory/2720-27-0x0000000000400000-0x00000000004A0000-memory.dmp

\Windows\SysWOW64\akpxdzjfncrcn.exe

MD5 4cba7bd8accda414a6d6dc3462225691
SHA1 a4031a0fee289df6703f148d1d873c45239cd409
SHA256 ffeefb212398e8f9fa6f507038eaf7b52a8d3233220aac7583a1b1a7886e28a9
SHA512 11dce01689056aacc87b6001b10a29578019ad14a9ecf548201dea26e1eef45c5972d0ff22c44ab89a72aeba6ee7922e7b58c1e73f913cd7dda97bb4b8cafbd2

memory/2792-33-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-40-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1068-41-0x0000000003350000-0x00000000033F0000-memory.dmp

memory/2708-43-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-47-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-46-0x0000000003870000-0x0000000003910000-memory.dmp

memory/1068-48-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2492-49-0x000000002F411000-0x000000002F412000-memory.dmp

memory/2492-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2492-51-0x00000000714FD000-0x0000000071508000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\Documents\PingBlock.doc.exe

MD5 514116cc08f691e1602148492d993cc7
SHA1 eebaec1e875298915509db9d30d356b0d0635aab
SHA256 df603b7984270994aa19640654a2c9ba02e1defb81bb9ebc973b2a5c3a11b855
SHA512 35035cdd4481fc372b5d74ee10cce6835f4a68e8bc05c26bfdb0884bc60d1ccb934057de216d54c14879ab97662914610f1a58f418ae6f64e0831685be20fa65

C:\Users\Admin\Desktop\AddInitialize.doc.exe

MD5 258983e4a558cf357644d2d04cf46493
SHA1 4b46f9056c00686d435112aad0a7fab1edcfa332
SHA256 30a4c264e192a22fbd2864d08dd23b4456fbdebf6578c67393b2bd8ca45a6bec
SHA512 502f7d86d32b1d29eeb7d95f114f890c137c4b443db17c882dbf0a82a689f58eeaeabc05dcbea7a960fb829360afd5e76ed63479d570c800486022983a2a458f

memory/2720-90-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-91-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-92-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-94-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-93-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-95-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-97-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-98-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-99-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-100-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-101-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-102-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-103-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2492-104-0x00000000714FD000-0x0000000071508000-memory.dmp

memory/2720-105-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-106-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-107-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-108-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-110-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-111-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-112-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-113-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-114-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-115-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-116-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-117-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-118-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-119-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-120-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2572-122-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2860-121-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-123-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-124-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-125-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-127-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-129-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-128-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-130-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-131-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-132-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-133-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-134-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-135-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 c1946c0967abc8d44e315472726e333d
SHA1 6186cefa93e1ff2ade0a99fdc60b5ea2e5a911a0
SHA256 12cb53582e4d35b50aaf0dd5e4004c91d9fc0149c6274f3fc3c2ca3c757f7f8b
SHA512 b64c33398a6ccde4e35ed3bd5054f8c0cacaa7586501330c74fe5993a4891f6904022d8bb44d106f3fba5eab1bd85ace6b788e89a956d8ae6d4bdbd984e5e01e

memory/2492-154-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2720-155-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-156-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-157-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-158-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-159-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-160-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-161-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-162-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-163-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-164-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-165-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-166-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2720-167-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2792-168-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2708-169-0x0000000000400000-0x00000000004A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:44

Reported

2024-01-25 17:47

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe"

Signatures

Kinsing

loader kinsing

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hfwhmscg = "ykbipdpxpg.exe" C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mgtaahqj = "jppivurlbkqieke.exe" C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "owuscomlzmgwz.exe" C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\g: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hytmqygc.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\hytmqygc.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\owuscomlzmgwz.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created C:\Windows\SysWOW64\jppivurlbkqieke.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\ykbipdpxpg.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\jppivurlbkqieke.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\hytmqygc.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File created C:\Windows\SysWOW64\owuscomlzmgwz.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
File created C:\Windows\SysWOW64\ykbipdpxpg.exe C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hytmqygc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\hytmqygc.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352C0A9C5283566D4576D477262DD67C8E64DE" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60F14E6DAC5B8BC7C95EC9F34BC" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7866BB3FF1A21D0D27DD1D48A7A9114" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFF9CBFE14F190840F3A44819939E4B08D02FF4269034BE1CB42EB08D6" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B058449539EF52CFB9A23292D7C5" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFCFB4F5C82129142D7287DE7BDE1E641594A67406242D69E" C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\ykbipdpxpg.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\jppivurlbkqieke.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\owuscomlzmgwz.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A
N/A N/A C:\Windows\SysWOW64\hytmqygc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\ykbipdpxpg.exe
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\ykbipdpxpg.exe
PID 1228 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\ykbipdpxpg.exe
PID 1228 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\jppivurlbkqieke.exe
PID 1228 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\jppivurlbkqieke.exe
PID 1228 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\jppivurlbkqieke.exe
PID 1228 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hytmqygc.exe
PID 1228 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hytmqygc.exe
PID 1228 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\hytmqygc.exe
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\owuscomlzmgwz.exe
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\owuscomlzmgwz.exe
PID 1228 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Windows\SysWOW64\owuscomlzmgwz.exe
PID 1228 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1228 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1744 wrote to memory of 3856 N/A C:\Windows\SysWOW64\ykbipdpxpg.exe C:\Windows\SysWOW64\hytmqygc.exe
PID 1744 wrote to memory of 3856 N/A C:\Windows\SysWOW64\ykbipdpxpg.exe C:\Windows\SysWOW64\hytmqygc.exe
PID 1744 wrote to memory of 3856 N/A C:\Windows\SysWOW64\ykbipdpxpg.exe C:\Windows\SysWOW64\hytmqygc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe

"C:\Users\Admin\AppData\Local\Temp\752018ae89f569d80a8de45e8de1f020.exe"

C:\Windows\SysWOW64\ykbipdpxpg.exe

ykbipdpxpg.exe

C:\Windows\SysWOW64\jppivurlbkqieke.exe

jppivurlbkqieke.exe

C:\Windows\SysWOW64\hytmqygc.exe

hytmqygc.exe

C:\Windows\SysWOW64\owuscomlzmgwz.exe

owuscomlzmgwz.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\hytmqygc.exe

C:\Windows\system32\hytmqygc.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1228-0-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\jppivurlbkqieke.exe

MD5 76084c51c03ce3773c5bd76bde2e8881
SHA1 c7e796706d413d5017c085604521219613d237b3
SHA256 5b815baf5b6728405615fc8ba50b03285d79bd02c4a09ab0d518a8e08d466338
SHA512 826bc9905c58df64df06b69f07ef869e70a5b66207c39a1ca63e4186c536f6ef613cd3f7b60e9838c9bc7cb31e561d68865320e12aca0c548743fd286af75e39

C:\Windows\SysWOW64\ykbipdpxpg.exe

MD5 91f665dee72c481364c2d86c5b185add
SHA1 254915e23e732511978257390af11974fc84bff4
SHA256 f5a931bcea068dc2a3c5ece070756492cc701a3ccd1dfd6e739671dc2ae1713e
SHA512 be04e9bad6faeb05729b00e8f114cdfc54502a6e797f118b0d97b4a6a4351a9262ee5d21a4b082513da83a7e83a1b0d7c361c03c069996af49c2557a7dc92197

memory/1744-20-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\hytmqygc.exe

MD5 ce90ed8be8a7ec3e0e26f00e934c8ce4
SHA1 0cc095c973419a6d6423dbb0d793459c3b9b5c57
SHA256 6a0e1e07275c6f951d5174150dc62d23dbb97a4f12b0047fa066f7c4075c54e4
SHA512 ebf98f51d18ff0136291633574aace1ada40397ba7ff6fd6ad4089fc182853f043c210a567bd2cadcab4d4c7182ed39bfedacb9457c9bf539ca02fd108d97826

memory/1304-29-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\owuscomlzmgwz.exe

MD5 dc8f90874d2f8dd6e19f6f61fa1b6df1
SHA1 e8c4b0a9a24ccb369f8609b30cd6b8595f55ebe2
SHA256 5800e431f49361a67ff944cbb0a78a847962d3d426c9b10e225d951041844a44
SHA512 df7cb387cc483f8189d16527027358d31de296e607ebcdabaa0158054841477f09d6eaf4b7029173b9484325c0561ce4476ad1e3820dc6c3ffdc8f2d71d085aa

memory/2212-32-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1228-34-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4120-36-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-37-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-38-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-40-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-39-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-41-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-42-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-44-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-43-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-45-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-46-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-48-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-49-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-47-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-50-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-51-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-53-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-52-0x00007FFCE48D0000-0x00007FFCE48E0000-memory.dmp

memory/4120-54-0x00007FFCE48D0000-0x00007FFCE48E0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 b1cefafb03065339e24eed313a0fac7f
SHA1 a5dc7d197c29dcef1c5aa03d901b5bd8d5bbb42d
SHA256 a49f061a098c0f192f2bf918cd7c54e6c4223c96ba3846afa429e7d16a8e8317
SHA512 f731e7b2046d0158610e291f2ef86c0f86b22b809fb1dc635aa55446579ba1a6ca2f9636d64d48556494e05bac7749011f4e84330c82da5bcfcea7e9867c4415

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 5d673531f83baafccfa1d510415ac063
SHA1 b2bb38c4fbd3ccf61ad9ee59f95e82607d3a109f
SHA256 2758b4184c508db73095a3d7ccd49be7d1c3e5cd543964abd8ff83b098d7c754
SHA512 aa54192b750a0aff025ae1b036f8de1a31639cc6fee5053bf8d8205e13bcb9d205cb6c1ee0cb2511988df7f8b6877bf01d914b87983400dde6a80e382eb67481

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 897b5c7a66d506d671b800cb1b6aefe3
SHA1 fc0e8164aae695d5609d0dfa58b9dfab3aa36dda
SHA256 da6553f7e93ee8fe36feca086987d6dbdfed24cd41714019d0822dc85e898b59
SHA512 5bd5e51f369ef313a30b3fc3aa7bfe6ef23c5670a575b83a070f63badf365c0ef90e6291aef2c5a6b1c342020b620950d3159897d866efb97f61330ff341f9d4

memory/1744-86-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-87-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-88-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-89-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-90-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-91-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\Documents\DebugCheckpoint.doc.exe

MD5 a894e96b67bb365c07527b6f69654907
SHA1 64632418e4c66758f70a74bb1cdbc8ad7bd08c97
SHA256 3c1f6d41140d53d6f802c0a4b31bc9b3660279c4f6f0044d401d05ad2680db82
SHA512 f49aeb33e42e7147bc9b3e2599a4ecf3bc87b0f1f8112af610af5fe720358e778533dd1c23e0f7f84b635af6100344860845f94ca5ef9c345ff55bc24b6481b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 22b1c17843583978c2705ad07d086ce2
SHA1 5fe875542b4ca9c9362a9f3cb0534ed683ae3235
SHA256 ca44ad287e8c9d9957fe820d1953db08b3386e7f6b91d362941a0eb47522edfd
SHA512 c7c3ce9d2a089fc5db1e0f9ba3c03a8721d5d26a4f83ccd20b1ad42a56d5a16e669fcbb41cbaf588aeb4c31b5c6dfc8e59d4de6dfd3c0374eee647e7bb50d50d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 a455deb2e6e25fcb5623df5ae386c810
SHA1 6006d2ac0c223266e62a4cc96a4b5a1c199e0999
SHA256 55755e59b10af5963a6ecaa5b0f078d1dd09cb8edb2ccd5347e28e1df09cc49d
SHA512 d6092162cf12f094e6248b735e0ac3a621009e46eea9a11d8cde818899363fae02034203d032129e3419133ad44542fd9e3a2ee5d0d9e3855f81a6795fcb63a0

memory/1304-113-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-114-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-115-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-116-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-117-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-118-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-119-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-120-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4120-121-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-122-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-123-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/1744-124-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-125-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-126-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-127-0x0000000000400000-0x00000000004A0000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 1bedb92ac2450bc3dd259e3e9fc7872d
SHA1 ed611d12875363696a38ec8fc124337258c5f4b1
SHA256 05be60b079efdde17428948f8adc76831eba9cc843c65ae63d7fc77605f4fe22
SHA512 8475d3cab6ccef59bc475655b58669a2adfe40cc3fa03a9a34f5ebc38a6b04a58f8f26fe0de5c25213d8e687f087dc87331cc8ef945eb824d9b8316e786d713c

memory/3856-134-0x0000000000400000-0x00000000004A0000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 b6ca400fe2844eddd92445acfbd223d8
SHA1 443bf0a367955058db4c1de2e475531327300026
SHA256 7509c2d8e827656a7a24737e62eba923eb3f7fe8084c47e928c65ea7d5167aa8
SHA512 3c92a321434aa2e0f1366e4da074d97d7dbef635871a02a3c4c33d030390aab0cf4b5a9401feb4b57b4621e1fcf0d56d81a39a52f2b8a5918e02cbeabdeb7fc0

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 4e994e5e4190863c1f57a09320bcdd77
SHA1 4462b49bc74ed14b8c34d114452a79217307912c
SHA256 8fbb27a36d7ef16aa3090446ec6568caa3fed55b28dfc2394c56104077b64021
SHA512 cf3040403cb6c0b8760458c32d53c20e745f94b378888e607ccfeac03b8d28819fa6ec1b5eaa96b00bb75ee75643bd29844ebbd51598d691fad4e7c3abf6ffee

memory/1744-139-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-140-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-141-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-142-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-143-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-144-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-145-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-146-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-147-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-148-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-152-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-153-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-154-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-155-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-156-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-159-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-161-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-160-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-162-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-163-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-164-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-165-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-166-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-167-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-168-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1304-169-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3856-170-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-171-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-172-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-173-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4120-190-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-191-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-192-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-194-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-193-0x00007FFCE7230000-0x00007FFCE7240000-memory.dmp

memory/4120-195-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/4120-196-0x00007FFD271B0000-0x00007FFD273A5000-memory.dmp

memory/1744-197-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-199-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-198-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1744-200-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3452-201-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2212-202-0x0000000000400000-0x00000000004A0000-memory.dmp