Malware Analysis Report

2025-03-15 04:34

Sample ID 241027-z1by8ssemb
Target e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN
SHA256 e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbb
Tags
discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbb

Threat Level: Known bad

The file e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Reads user/profile data of web browsers

Windows security modification

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:10

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:10

Reported

2024-10-27 21:38

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\nffgadqhec.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\nffgadqhec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\zlezlooy = "jidcuoabobgdfvc.exe" C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "obufnqjoqxtmt.exe" C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvzvbhhx = "nffgadqhec.exe" C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\u: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\nffgadqhec.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\nffgadqhec.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\nffgadqhec.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vsecodtm.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\obufnqjoqxtmt.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\nffgadqhec.exe N/A
File created C:\Windows\SysWOW64\nffgadqhec.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File created C:\Windows\SysWOW64\jidcuoabobgdfvc.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\jidcuoabobgdfvc.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File created C:\Windows\SysWOW64\vsecodtm.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File created C:\Windows\SysWOW64\obufnqjoqxtmt.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\nffgadqhec.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vsecodtm.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\vsecodtm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vsecodtm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\nffgadqhec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vsecodtm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F368B3FF6E22DED272D0A68A0E9062" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\nffgadqhec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB6B0294792399A53B8BAD633EAD7CB" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFEFFFC4F5C85689136D65F7DE6BDE2E633583066436333D690" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABFFABDF910F1E384753B37869A3993B080028F4316033DE1C845E608A9" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "194AC67D15E7DBB1B8C87C90ED9137B9" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\nffgadqhec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33342C7E9C5683586A4676D477272CD67DF464DA" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\nffgadqhec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\nffgadqhec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Windows\SysWOW64\nffgadqhec.exe N/A
N/A N/A C:\Windows\SysWOW64\nffgadqhec.exe N/A
N/A N/A C:\Windows\SysWOW64\nffgadqhec.exe N/A
N/A N/A C:\Windows\SysWOW64\nffgadqhec.exe N/A
N/A N/A C:\Windows\SysWOW64\nffgadqhec.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\vsecodtm.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\obufnqjoqxtmt.exe N/A
N/A N/A C:\Windows\SysWOW64\jidcuoabobgdfvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\nffgadqhec.exe
PID 2276 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\nffgadqhec.exe
PID 2276 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\nffgadqhec.exe
PID 2276 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\nffgadqhec.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\jidcuoabobgdfvc.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\jidcuoabobgdfvc.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\jidcuoabobgdfvc.exe
PID 2276 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\jidcuoabobgdfvc.exe
PID 2276 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 2276 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 2276 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 2276 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 2276 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\obufnqjoqxtmt.exe
PID 2276 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\obufnqjoqxtmt.exe
PID 2276 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\obufnqjoqxtmt.exe
PID 2276 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\obufnqjoqxtmt.exe
PID 1368 wrote to memory of 2156 N/A C:\Windows\SysWOW64\nffgadqhec.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 1368 wrote to memory of 2156 N/A C:\Windows\SysWOW64\nffgadqhec.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 1368 wrote to memory of 2156 N/A C:\Windows\SysWOW64\nffgadqhec.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 1368 wrote to memory of 2156 N/A C:\Windows\SysWOW64\nffgadqhec.exe C:\Windows\SysWOW64\vsecodtm.exe
PID 2276 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2276 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2276 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2276 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 3032 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3032 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3032 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 3032 wrote to memory of 1496 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe

"C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe"

C:\Windows\SysWOW64\nffgadqhec.exe

nffgadqhec.exe

C:\Windows\SysWOW64\jidcuoabobgdfvc.exe

jidcuoabobgdfvc.exe

C:\Windows\SysWOW64\vsecodtm.exe

vsecodtm.exe

C:\Windows\SysWOW64\obufnqjoqxtmt.exe

obufnqjoqxtmt.exe

C:\Windows\SysWOW64\vsecodtm.exe

C:\Windows\system32\vsecodtm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2276-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\jidcuoabobgdfvc.exe

MD5 58ad6b6bcbefcfdc3b699ee4decc401e
SHA1 9344472714d474d0fa863a76c483b166d732c290
SHA256 8334d82aea50f2be82d96ab47020a913acb5023eeec3bcb4d7964a46b566173a
SHA512 673085632867880529c249e3ffd10d9f0204d92ed3a21820234e170b16be47564952e81a1ef9431994293ac155a29b4f438bf74a1d6c9d56d02a199f6e8e5e17

\Windows\SysWOW64\nffgadqhec.exe

MD5 0295daf5ad21450f1f711bfed92a2150
SHA1 e38c14103c9d6c876c5227b63e044cd8873abc95
SHA256 94e496edc450082ad3a5b40ef39fd806f5c9ccd4f89a01ba63cc474660f06a80
SHA512 41f150445dce251899c75b9f584aca9a1ae7d11b7282995d31a0903b37b02d6d66681762f6aa468b423ee6e22907b7ff34166f634736701f6843bbb04109d454

\Windows\SysWOW64\vsecodtm.exe

MD5 61aab506ad680ab81c60948d8acb3cbb
SHA1 c10ef17d50dc6795b1cdc04c6ec9e10166b91c70
SHA256 f903ecbdbbfc53dff73885866490ed95e5ecd53f83b231e0fc7bb314782b8661
SHA512 311e3449e4b17f8e52d6941b997f229fdab4ec72407e116c2ee99624e1c7e73dd376f8c802d75e67c1d4c7052c9f0d34731d0b7ee4fc29bea7818279b22f4b22

\Windows\SysWOW64\obufnqjoqxtmt.exe

MD5 4874a0e953aba2ca3a9c928bb018b088
SHA1 143ff2933d97c007d19c8c5d58b1a252887f8140
SHA256 b4271be71aef078b59bcb1fce8c7775869fcbab96d73bf6a0fc3193b042d604a
SHA512 23adb2ed9afc233470e393910ebd27506e0901cf39d1d996b9e30088347b251628361798c56d0270906bbcde472e0491fd64c8ad6ca81b413df98b41df76570d

memory/3032-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 6008cec4145e35406f05af7beaea8939
SHA1 0c3cd48c679fff27f54af571a1a6e97b3bfb1b04
SHA256 51046cdd9c57200229e217ffa4fbd064bd5d52e4a132daa45e5b78a7c21da87f
SHA512 416607a5fae98c5b647d2856c6de555af6443d8827ee0ecfc4a527f85d7a7ef5866141c92b09bd5731df5dcaebff24a78fc718afbb0a657e1817c904dc0ba6ae

C:\Users\Admin\Desktop\SwitchSuspend.doc.exe

MD5 64d7d4fa56629be1a766f91e850378f8
SHA1 7964d36e5519845a845d6c72698c45f3edff06e7
SHA256 1edb1ce8bb33c2b4eb9612dbfd83bc4afbe5a1add10f4db1cfcf6823650ade7c
SHA512 0f321db7ac5f4263213914bcaa27cca3ea21d479321dbdd97160838e21fb87971251469fc44061ff05587777ba2676ed57edd2ff138bef54771e7f517c5f5f44

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:10

Reported

2024-10-27 21:38

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\voxrfmnm = "yqxvvewxzt.exe" C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mecpzdhk = "hnuazcuravcqyfc.exe" C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bynvwpaoghgrm.exe" C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\szqcyrrh.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hnuazcuravcqyfc.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\bynvwpaoghgrm.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created C:\Windows\SysWOW64\hnuazcuravcqyfc.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\yqxvvewxzt.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File created C:\Windows\SysWOW64\szqcyrrh.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\SysWOW64\szqcyrrh.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File created C:\Windows\SysWOW64\bynvwpaoghgrm.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created C:\Windows\SysWOW64\yqxvvewxzt.exe C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\szqcyrrh.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\szqcyrrh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\szqcyrrh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D799D2182596D4376D577212DD67C8465DD" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B02044EF399A52BEB9D033E8D7CE" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDFABAFE13F198847A3B42819E3E93B08E038B43120238E2BE42E608A9" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8E482E82689046D65C7D94BDE2E135593067406245D799" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F76BC1FF6C22DAD209D0A38A0C9167" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC67415E1DBC2B9CE7CE0ED9634BB" C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\yqxvvewxzt.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\hnuazcuravcqyfc.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\bynvwpaoghgrm.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A
N/A N/A C:\Windows\SysWOW64\szqcyrrh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1464 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\yqxvvewxzt.exe
PID 1464 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\yqxvvewxzt.exe
PID 1464 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\yqxvvewxzt.exe
PID 1464 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\hnuazcuravcqyfc.exe
PID 1464 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\hnuazcuravcqyfc.exe
PID 1464 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\hnuazcuravcqyfc.exe
PID 1464 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\szqcyrrh.exe
PID 1464 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\szqcyrrh.exe
PID 1464 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\szqcyrrh.exe
PID 1464 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\bynvwpaoghgrm.exe
PID 1464 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\bynvwpaoghgrm.exe
PID 1464 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Windows\SysWOW64\bynvwpaoghgrm.exe
PID 1464 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1464 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1812 wrote to memory of 3252 N/A C:\Windows\SysWOW64\yqxvvewxzt.exe C:\Windows\SysWOW64\szqcyrrh.exe
PID 1812 wrote to memory of 3252 N/A C:\Windows\SysWOW64\yqxvvewxzt.exe C:\Windows\SysWOW64\szqcyrrh.exe
PID 1812 wrote to memory of 3252 N/A C:\Windows\SysWOW64\yqxvvewxzt.exe C:\Windows\SysWOW64\szqcyrrh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe

"C:\Users\Admin\AppData\Local\Temp\e40c8047dc5285235dc0db62fc4f2b6dd2ae0d742dd093a8f4cf255672483cbbN.exe"

C:\Windows\SysWOW64\yqxvvewxzt.exe

yqxvvewxzt.exe

C:\Windows\SysWOW64\hnuazcuravcqyfc.exe

hnuazcuravcqyfc.exe

C:\Windows\SysWOW64\szqcyrrh.exe

szqcyrrh.exe

C:\Windows\SysWOW64\bynvwpaoghgrm.exe

bynvwpaoghgrm.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\szqcyrrh.exe

C:\Windows\system32\szqcyrrh.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.133:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 146.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 81.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/1464-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\hnuazcuravcqyfc.exe

MD5 dbe948653a67f74fe3e7fcb73afd781e
SHA1 459c188024fdcc2b8995cf88f3a5f6f2b75e47f9
SHA256 05d7b02f8d3f8b2b708ee679a00c9a5a396bb274f00293b1f3afb815e9634676
SHA512 341a4746a7380ec37be6416cdcd62c6a8cca95773d67b51718145d1345fdb840b8c955e03c09e825e3ba63fb465e9ede3b113ae750cf02e46b380fd979973a6e

C:\Windows\SysWOW64\yqxvvewxzt.exe

MD5 f9717d322638f6b714f74185b6de9042
SHA1 0951ccc9334c92020f0365e7dcbeff6d2c9ba99e
SHA256 35dd5985728b8eab376cc593bd79b542718998598fe0d8c9376f136ebc135327
SHA512 b79854146dd919dae16082c69e25c1f8351f8a5bb0074a52930160690b5d4981eb62c4cdad84ccfe92d7de0500d6403babed92b7614f43b4200944240d70666d

C:\Windows\SysWOW64\szqcyrrh.exe

MD5 45a254e2041f19b07d75066765f16a51
SHA1 a24023a87564bb412bede08ec9cf8c20332479a7
SHA256 f5d03ec0b011d3148682c775b1f19764b3cd43bfff2d464e9ced4e3d8dcd57e2
SHA512 5c5fffcfa0cfd9d477481a456adcfeace1b7ffe115b30c32417a9cb5357e1da99d65f60ff65c4ad9379c30e7321b0bb24efddf82f6b74ef6e4e9b3b5e93e9e70

C:\Windows\SysWOW64\bynvwpaoghgrm.exe

MD5 31574c8a39d40f166ca3b95d15f6552a
SHA1 55c120142aa74d93e92ec26484c57f2033dbaf1d
SHA256 2547b0317054da263dafbbf0f0192b0fc8dca851846f1db0033e811cc765fa24
SHA512 0d436b4832510bceb7c811a916f5a4063a091703bda822065fafcc61825bf3c6b7159477028d85351df8d33b733f6f4ccb0720acf964925f00eaf123f5815660

memory/4640-35-0x00007FF8F6550000-0x00007FF8F6560000-memory.dmp

memory/4640-36-0x00007FF8F6550000-0x00007FF8F6560000-memory.dmp

memory/4640-37-0x00007FF8F6550000-0x00007FF8F6560000-memory.dmp

memory/4640-38-0x00007FF8F6550000-0x00007FF8F6560000-memory.dmp

memory/4640-39-0x00007FF8F6550000-0x00007FF8F6560000-memory.dmp

memory/4640-42-0x00007FF8F4420000-0x00007FF8F4430000-memory.dmp

memory/4640-43-0x00007FF8F4420000-0x00007FF8F4430000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 03a3df5528a82b6b2786942f28bd389a
SHA1 e8e36b78c4f1f36d52a31fee3459934fb54f011b
SHA256 d60273490a0b0879ba4986cadccb504ababda60826df360b4c6e5ef896543c0f
SHA512 c2d88b1c2abb8a3143d0257e10d4415c4b6e125e1f778f2bfc2e3150dd1d276b62357a4cc3822cdb4d86d7697672cc669f47b71dec0c4468d8cc7bfa58c06c80

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 d1b072536371124676ebaf5b88dd55b6
SHA1 9fd28c659f6d9508d57b3af3b5009ade1ecddf86
SHA256 b71319bc3c1ba24e75ea253bb4ff34937d08abed73638835fa311bd557ffc5ae
SHA512 5429c84c625f5ded1f369a05cfe530620cbea7f53605218d48b4ccb06f435b03d4d0cf004008a041e3991f3c204c3a46edf41cd5316ac829a7cc177e1614b8b9

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 dd866c8aba852fc87bfd461de7f6be22
SHA1 e770a50ad849ede9f9cbae1e330fbbfe8db13a46
SHA256 ba58ee8c4ca16c6f6c452c01bfbf752543a7a5386c4c304ce9ed69731009271c
SHA512 39c9c820409005bec6909cc2eb58fe05d5c893805bea423260f2e694cf04e4cff44509650c5288d5d18edb80e87cfb855b7ccef4ff3a81eee76be2a8e9ed74ce

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 025d9efe9ddd5f6201a4ee9d6d5ddcd3
SHA1 42a6bf6bb807b859861f309270ca1e6766bcfb08
SHA256 0affcbff22868f048f3696f87278409c22f2de9dd05a22bb6289497ac3e621a7
SHA512 ef98e45b40681581896dc3fafe39dc28052c1f203b2b7ef35692ada8e285d307fa9b4c97a2da4dff5717fda0a75e0ef43b83dff293045ba3d7b943068dc02b6b

C:\Users\Admin\AppData\Local\Temp\TCDFDED.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 27c12c9fdb74972aa7ca39b213ed8eee
SHA1 cd79202ab669c9056a5a5a9f1b8f15739433f9a5
SHA256 d22e6f178758428b76a4f84b3b4dd3398672403f933cf678ff5a6f2255c29814
SHA512 73d9cecc0c304d1caf0957642614d8d37a58c09d68dbc0354b99258498cc8bc16b658e190cb5ae617c4117beb8f1753f9e14a0c8b86077b167f2387a1e19a88d

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 6a0a7a8f4969b3fffd39296b63113d6b
SHA1 0ea3fc6d2bae422f687bae9e2a0da343ad7542b7
SHA256 31d6e7f434f6e7b67f97b6c57c068c125e1f4d6dab6594f3055e03468bd9d333
SHA512 a92a9baee581c2e6e91d8d8770541246c57382e4d982e87685289f539e2287fed2bd4d976953fb0e7c62fe8395161f05dfba26dd0b7a4638fa0d7a8cde7985e1