Malware Analysis Report

2025-04-03 19:49

Sample ID 241110-gtz4da1fmh
Target d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N
SHA256 d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043
Tags
upx discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043

Threat Level: Known bad

The file d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N was found to be: Known bad.

Malicious Activity Summary

upx discovery evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Windows security bypass

Disables RegEdit via registry modification

Checks computer location settings

Windows security modification

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 06:06

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 06:06

Reported

2024-11-10 06:08

Platform

win7-20241010-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "rzxtzmwzhlrli.exe" C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ipvdeudy = "kgrzmqayuv.exe" C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yjierbfg = "gxkayoeutsvrjdb.exe" C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hyjnbpji.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File created C:\Windows\SysWOW64\rzxtzmwzhlrli.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File created C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\kgrzmqayuv.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File created C:\Windows\SysWOW64\hyjnbpji.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\rzxtzmwzhlrli.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
File created C:\Windows\SysWOW64\kgrzmqayuv.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\hyjnbpji.exe N/A
File created \??\c:\Program Files\UndoPublish.doc.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files\UndoPublish.doc.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files\UndoPublish.nal C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files\UndoPublish.doc.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification \??\c:\Program Files\UndoPublish.doc.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files\UndoPublish.nal C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification \??\c:\Program Files\UndoPublish.doc.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\hyjnbpji.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\hyjnbpji.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\hyjnbpji.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\hyjnbpji.exe N/A

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6AC9F9BCF966F19884793B37869E3E94B38B038C4215023BE1C4429D08A8" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC3B05847E439EC53CCB9D2329FD7CF" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33332C7F9D5282556A3177D170272DD77CF465DF" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F88FC8D4F28826E9032D72A7E92BCE7E143594B66456332D79D" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78168B5FF1D21DCD20CD1D28A7D9063" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1949C67B1590DABEB9BD7CE6EDE334CE" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\kgrzmqayuv.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
N/A N/A C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
N/A N/A C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
N/A N/A C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
N/A N/A C:\Windows\SysWOW64\kgrzmqayuv.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\hyjnbpji.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A
N/A N/A C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe N/A
N/A N/A C:\Windows\SysWOW64\rzxtzmwzhlrli.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\kgrzmqayuv.exe
PID 2036 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\kgrzmqayuv.exe
PID 2036 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\kgrzmqayuv.exe
PID 2036 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\kgrzmqayuv.exe
PID 2036 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe
PID 2036 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe
PID 2036 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe
PID 2036 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe
PID 2036 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2036 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2036 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2036 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2036 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\rzxtzmwzhlrli.exe
PID 2036 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\rzxtzmwzhlrli.exe
PID 2036 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\rzxtzmwzhlrli.exe
PID 2036 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\rzxtzmwzhlrli.exe
PID 2036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2036 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2320 wrote to memory of 2940 N/A C:\Windows\SysWOW64\kgrzmqayuv.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2320 wrote to memory of 2940 N/A C:\Windows\SysWOW64\kgrzmqayuv.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2320 wrote to memory of 2940 N/A C:\Windows\SysWOW64\kgrzmqayuv.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2320 wrote to memory of 2940 N/A C:\Windows\SysWOW64\kgrzmqayuv.exe C:\Windows\SysWOW64\hyjnbpji.exe
PID 2640 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2640 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2640 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2640 wrote to memory of 2280 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe

"C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe"

C:\Windows\SysWOW64\kgrzmqayuv.exe

kgrzmqayuv.exe

C:\Windows\SysWOW64\gxkayoeutsvrjdb.exe

gxkayoeutsvrjdb.exe

C:\Windows\SysWOW64\hyjnbpji.exe

hyjnbpji.exe

C:\Windows\SysWOW64\rzxtzmwzhlrli.exe

rzxtzmwzhlrli.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\hyjnbpji.exe

C:\Windows\system32\hyjnbpji.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2036-0-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\hyjnbpji.exe

MD5 188cdceae6240cda28accc01a38e96d5
SHA1 9c67afbccab283c34781d74da0e6e8bf391c15ec
SHA256 772125107e38c805a1298b9b9c229ff8a0f80f8994c4d155a5eca004749baf24
SHA512 3b0b8fa339992282c210f5e6d9bfaf9e303044ebcf651558ade5b93e46f2d351877b9f107907d141cbceb3b220da1af6dcdaa5adf71f65578dfc9b38828198cf

\Windows\SysWOW64\kgrzmqayuv.exe

MD5 5caaefd7b391e606a209742212179fd9
SHA1 a90c3ca693bdeca458b19931f8bce5897154ce7a
SHA256 9242c08409ebf652376076aca37c37e9f9029eb3fbb4dcf009f89aed9d979442
SHA512 9f7b3d6b91f456590ed033b0587b9fd23a9b1cf2c8812e47c43b569323670dbc64d45f073acc549c063d33968e3c053f61ddf732f28d1fced0f71cd5afb08c04

memory/2320-26-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2036-30-0x00000000032A0000-0x0000000003340000-memory.dmp

memory/568-28-0x0000000000400000-0x00000000004A0000-memory.dmp

\Windows\SysWOW64\gxkayoeutsvrjdb.exe

MD5 18601a54ca6741648d9f8d4adeabb8bd
SHA1 d576b39643bb7004a451c772f28a281567b98b26
SHA256 8a14787d256eb750868f1608e8c2df5124c88af07ac7fd1f2c302df978f97fec
SHA512 8dbd7e711ebff782c51c99a8269f4300a4e98da845104b5e8709a4cf49933d91060900348a72e78b1efddfba4d7b998a14dc1171ffaefbce7ebeebdffd000433

C:\Windows\SysWOW64\rzxtzmwzhlrli.exe

MD5 bc2b31bc1e99b6e2d88ac2abdaec5772
SHA1 f4bd880c255cc2e1902c6ad6949b170b65f3c504
SHA256 067ac4c0d72bec9d8d05f3a5bab84e659ac4ee174a6429e5b2da1c8dac91b9c6
SHA512 8b6f5893bf0907fe55f8cc917e25df07bbbeecb57551fd1391796316b813ad84fc986957f098cc1ca11caa152b046061b2aeae6ed88b14a645182bd44d0fc7cb

memory/2036-43-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2640-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

\??\c:\Program Files\UndoPublish.doc.exe

MD5 84007e11086edf331775d4c058f6798c
SHA1 2391dc20f528b108486e67971dc2d407b870c099
SHA256 d63c53060d4f06e10b6238c76917df78e3423c0ea20a97286507d6283ccc3914
SHA512 332a3956d102d8b3ab2208316a50dfd0f78868a7308a2acf046067475a17524b78f014a705482350f2950acda1514ea4a2a81fbb2534f013adcd740ec413ce9a

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 e1ba936ddc9d6753a35295ca6a24d035
SHA1 4f5f79617c4127f8d1f9346d3b399a953fe16cb6
SHA256 9feab5b1fe919d6de67765d79daf96bddb2910148a15e4c7e19fa93fe9413b30
SHA512 060d9d4f4190b1a1a2ef975b2001baa13ee8d501c5c05285c4ef8faaa13795d6aa9a7114e5363c1d8db7f4d456d1145d4e9fe00b62509a8626ea10bf24bcff6a

memory/2320-76-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-77-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2432-78-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-79-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-80-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-83-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2940-85-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2940-84-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2432-82-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-81-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-86-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2940-90-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-89-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2432-88-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-87-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-92-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2940-96-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-95-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2432-94-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-93-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2432-98-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2940-100-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-101-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-103-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-102-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-104-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-105-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-106-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-107-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-109-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-108-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-111-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-113-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-112-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-114-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-116-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-115-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-117-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-119-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-118-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-120-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-121-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-122-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2320-123-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/568-124-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2412-125-0x0000000000400000-0x00000000004A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 06:06

Reported

2024-11-10 06:08

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\yzuynacker.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\yzuynacker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ywkoanwa = "yzuynacker.exe" C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kfgkrtfq = "voyhdnjouehkpqp.exe" C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "vfsnepccstbdd.exe" C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\yzuynacker.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\pldorktq.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\yzuynacker.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\yzuynacker.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\yzuynacker.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created C:\Windows\SysWOW64\yzuynacker.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\yzuynacker.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File created C:\Windows\SysWOW64\voyhdnjouehkpqp.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File created C:\Windows\SysWOW64\pldorktq.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\vfsnepccstbdd.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\voyhdnjouehkpqp.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification C:\Windows\SysWOW64\pldorktq.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File created C:\Windows\SysWOW64\vfsnepccstbdd.exe C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\pldorktq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\pldorktq.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\yzuynacker.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\pldorktq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\pldorktq.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\yzuynacker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\yzuynacker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\yzuynacker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\yzuynacker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\yzuynacker.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\yzuynacker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECBB15F479539ED52CCBAA033EAD4BC" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFABBFE64F19183743B3086EA39E5B38A02F143600332E2CE459A09D1" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184BC60C15E5DAB0B9BD7FE0EDE337C8" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\yzuynacker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32352D0D9D2C82566A3276D170252CAE7DF465DB" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7F8CFFF84F5A851F913DD65C7D96BDEEE631584367456343D790" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E08168B2FE6F21AED208D0A08B7E916B" C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\yzuynacker.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\vfsnepccstbdd.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\voyhdnjouehkpqp.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A
N/A N/A C:\Windows\SysWOW64\pldorktq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\yzuynacker.exe
PID 3092 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\yzuynacker.exe
PID 3092 wrote to memory of 244 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\yzuynacker.exe
PID 3092 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\voyhdnjouehkpqp.exe
PID 3092 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\voyhdnjouehkpqp.exe
PID 3092 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\voyhdnjouehkpqp.exe
PID 3092 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\pldorktq.exe
PID 3092 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\pldorktq.exe
PID 3092 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\pldorktq.exe
PID 3092 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\vfsnepccstbdd.exe
PID 3092 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\vfsnepccstbdd.exe
PID 3092 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Windows\SysWOW64\vfsnepccstbdd.exe
PID 3092 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3092 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 244 wrote to memory of 3180 N/A C:\Windows\SysWOW64\yzuynacker.exe C:\Windows\SysWOW64\pldorktq.exe
PID 244 wrote to memory of 3180 N/A C:\Windows\SysWOW64\yzuynacker.exe C:\Windows\SysWOW64\pldorktq.exe
PID 244 wrote to memory of 3180 N/A C:\Windows\SysWOW64\yzuynacker.exe C:\Windows\SysWOW64\pldorktq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe

"C:\Users\Admin\AppData\Local\Temp\d59cef57eae3f85702aab188b964ebfd5599e299b8087f8ab4099bb10dcaa043N.exe"

C:\Windows\SysWOW64\yzuynacker.exe

yzuynacker.exe

C:\Windows\SysWOW64\voyhdnjouehkpqp.exe

voyhdnjouehkpqp.exe

C:\Windows\SysWOW64\pldorktq.exe

pldorktq.exe

C:\Windows\SysWOW64\vfsnepccstbdd.exe

vfsnepccstbdd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\pldorktq.exe

C:\Windows\system32\pldorktq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.150:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 150.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3092-0-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\voyhdnjouehkpqp.exe

MD5 909ef8166dfcec0ebc09f5729c89beb2
SHA1 c5f146bf7362d72da3f9e1e6dad7d84ddfd3f678
SHA256 68192925e7689ed56b4617255cb5ec131173fc8d85f600abe91aa839f226b95d
SHA512 662c466046d68b9506e5806c407e4d5b4b905778a5bdbeb007317e7855a6a8e708c9776e9164fdd14dbb63e350546819a072478e96d2d8bc20c9095fc14a893c

C:\Windows\SysWOW64\yzuynacker.exe

MD5 ddb5693a45662843928d031b7d37e2b6
SHA1 f77b297b042232429534964c399dec1977dcb02b
SHA256 b4fab22c42776fcbf66f2b68e2cc1b1d0b7d247ecbe879e92e614c1716e7f8a2
SHA512 0875202d511d513ccaa88d854b17ff851851b9561bbd53fdcb3218cee51f883a00d11da0345dae08e35c0e6b7903fa13150e56c428efb640e8c975d28f0bc62f

C:\Windows\SysWOW64\pldorktq.exe

MD5 cc6f73e473b4cec84874552ddda5f3db
SHA1 349b7b29a7d5bdbfe28af900d150685d03fe4e2c
SHA256 915993bb9c0e9d90e7ea4211e86cc7ac969396180018765707650e449f16e3dc
SHA512 e0939722604477a23efee3f7674cda6516a9dc04629643f670482efddf0228a64616ff7e2705acc88c79bf4d8e07390c90cd926ed6321afd572bede2814e74a3

C:\Windows\SysWOW64\vfsnepccstbdd.exe

MD5 210fcc518c8016e6de762e0f88c93dd9
SHA1 5fd2bdd486dd4c7ae3590274273b61401aa43ada
SHA256 7711b751d0daec40c0836c0108bfb8f8afa68f702f2b43dda49cb701a59f3730
SHA512 da191947a6925d80a636395e8bfc38d1f03a2ff2aa4d36b583316c70c3895df1c7552dc6da52345cef67e57f77a61ec8ca4c14a29a189b4f3c53674250cbb37e

memory/3092-32-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4860-36-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

memory/4860-35-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

memory/4860-34-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

memory/4860-37-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

memory/4860-38-0x00007FF8C6790000-0x00007FF8C67A0000-memory.dmp

memory/4860-39-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp

memory/4860-40-0x00007FF8C4290000-0x00007FF8C42A0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 445649a56d2b545938ea6dbc088a6b31
SHA1 20d25ccdaeb7b45e2fef245b03f59e76dec3be95
SHA256 c59e3b5339aeddd105db44446c6b31d0a7ed08e84ec6592d89bbd084e45ea1bd
SHA512 fd3f2d4fd8626e9588f49a6d9d48b3b9f84e586bf764b783a67d35798bea0e6cfa5e248cede1b89c010c637ff8353095f2835bcc998e3a35caf89bad75fc52d2

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 128f1ddb3bcc2eddddd915be9f3eb2e6
SHA1 087dca9466a5a5ef59901ca99a0247b18cd37759
SHA256 8ac9ff07ea918106605975300634f97edab04305c017f9036041fecb90232f91
SHA512 50c21f54bdce1b8bf913b10f617344839f7d4f71438c39d9d729607c838e684a4f3270b4348999a4c42645508ff591efc43a45a30c00d7a0cfcf769c369c4f7b

memory/244-76-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SwitchWrite.doc.exe

MD5 113dda566fb06520fa5b98f39f896a8b
SHA1 9792354155f8b0ce69b70f6174395e6dbc8c7199
SHA256 f16367972822dd9779285ced0f0c0a57e67646a718d40a01b60c1e579d2ec2f1
SHA512 bf70daee3a9b9d2b9856b7f92a2b6b6bfc9fbe01a1ff5fb10a2d3009e47e08fab84b0e3f1dc123b925a0d5d4357f86508470caa0ef4fa5bfa2def87274748b8f

memory/4572-82-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4292-83-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-84-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-85-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-86-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-88-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4292-87-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3180-90-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3180-89-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 29dc5bb94c77f229901c88fb11af56d7
SHA1 f44968fff38b3e0b5b7ed3eb32d2649eada11b3a
SHA256 eb519ea3fb48149f5b865c48f46fbcdc0e81479fd0991f1eb8bd6f9ee92f0872
SHA512 b85ed75ab4da1af0f096265718b6114769c0e94c60c34f98248010c906c0fa3add36d96878c9578dcd6daf58669412ebbfd05218ab5abb91b912f6ab0aa00626

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 86ef82071d7f1ff22050705f35c68cc9
SHA1 34f139921e5e148159b005d133e9c6e22069d1f9
SHA256 d05dde598da2cfa8997e8a7a378b87d0d9d7a735916ec43405cf2c334a369bac
SHA512 4455e7ef9db3ac7ca3fd475ef661a983d430bbc66df72d84e5a023699dde926841bdd5d6509f986a35a17881ba1f6c2e224ae3152a0871e30fae6ea587df65b6

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 17f2046b650ea20715710f430f3a9c2f
SHA1 7451f4d602c0063da6537cfd9778147aa8b4fb94
SHA256 838bd0b96034655fe2509ce69ce23cbe143a1855c17704250a08aec27d1bcc48
SHA512 caca37434ac680d47257f89468af1e5488812750fb96ec51e3ebd2ef5e50c2cf6d19e45b218f61355dbb7e01de44e6764fd64e68165be6a22be8b458164dd7dc

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 fa5037f7239a392e4afd3023bf9d744d
SHA1 3204e6c9c63dac7e751986b34c7a93194c96ca6d
SHA256 cc571ccab9cfe4b2a62509baa2a9b6d5478acfe5c39bd086a34826d08eb8549b
SHA512 fb936f17d773982582828e3f21a49a1e11cb084e418b6c85ca2dc5b8d2a022c11b2828d7ce3de4715099f3b6f4d038f43fe94402f0b88fc2d53e8e36eaabc8c2

C:\Users\Admin\AppData\Local\Temp\TCDF1F7.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

memory/244-235-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-236-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4292-237-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3180-239-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-238-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-241-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-243-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4292-242-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-240-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3180-244-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-245-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-248-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3180-249-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4292-247-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-246-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3180-253-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4292-252-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-255-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-256-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-254-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-257-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-258-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-259-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-263-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-264-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-265-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-266-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-267-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-268-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-269-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-270-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-271-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-273-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-274-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-272-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/244-275-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4572-276-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2944-277-0x0000000000400000-0x00000000004A0000-memory.dmp