Malware Analysis Report

2025-08-05 23:17

Sample ID 250115-11rv5ayjfq
Target 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01
SHA256 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01
Tags
discovery evasion persistence spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01

Threat Level: Known bad

The file 2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01 was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence spyware stealer trojan upx

Modifies visibility of file extensions in Explorer

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Boot or Logon Autostart Execution: Active Setup

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

UPX packed file

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:07

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:07

Reported

2025-01-15 22:09

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ueybtikp = "tdkmlnmfdo.exe" C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qlqmgzpe = "qvrwxqrmmjxkpdi.exe" C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cqjxieyamfukj.exe" C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dovyreyx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\SysWOW64\cqjxieyamfukj.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\SysWOW64\dovyreyx.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\dovyreyx.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\cqjxieyamfukj.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\dovyreyx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dovyreyx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dovyreyx.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB0FF6D21DAD10FD0A78A0B906A" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9C9FE16F2E784783A40819939E3B0F902FE42600332E2CE429D08A3" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15A449338EB52CCBAD7339CD4CE" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67D14E3DAB6B8BA7F97EC9E34CC" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCF9482A82199131D75B7E9CBD97E144594166426335D79E" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7C9C2283526A3076A570542CD87DF364D6" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4284 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 4284 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 4284 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 4284 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 4284 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 4284 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 4284 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 4284 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 4284 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 4284 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 4284 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 4284 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 4284 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4284 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4000 wrote to memory of 1992 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 4000 wrote to memory of 1992 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 4000 wrote to memory of 1992 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe

"C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"

C:\Windows\SysWOW64\tdkmlnmfdo.exe

tdkmlnmfdo.exe

C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe

qvrwxqrmmjxkpdi.exe

C:\Windows\SysWOW64\dovyreyx.exe

dovyreyx.exe

C:\Windows\SysWOW64\cqjxieyamfukj.exe

cqjxieyamfukj.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\dovyreyx.exe

C:\Windows\system32\dovyreyx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.27.146:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 146.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4284-0-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe

MD5 e928b10a13f331783eef8397488672e0
SHA1 2dfa082c487ac39c3c941a520d55df8cbc92925b
SHA256 4c39bbe26130544540ba539ef7de24313687d2cf45c2fb7e58026ff9155aba1c
SHA512 bd022f94142f950e2636f1889210fe38aa10902be0b6167796f8ddc86f1e39be5a9f8536994d81330e31225872efd9d72b9f013e076a3bab63d18ec571fccedd

C:\Windows\SysWOW64\tdkmlnmfdo.exe

MD5 38c3c647d8c2268cd24ec56c04ece57d
SHA1 45c27057355bb66a2858ab215e151cc46bdd0ebf
SHA256 e3ee8e41fabdf65a44f2fb23cdb4be47ff7eef3470427a48f475dab29552fab9
SHA512 a331d665d7736a8964a92a6dc409e75c4fc16a1627cc5702882c430d40d8f1570501e296d02a4b8705eecf991f3e90a1692a26704e3c4086e3e807a91b505d68

C:\Windows\SysWOW64\dovyreyx.exe

MD5 9df3909fa0203734fd67f09b205a9300
SHA1 57a17d917a49813d5edea03ff216b8e2b6d00418
SHA256 33f02fe96c52c3b9d66de257ca0465ccbf425b68550280310f801661acfc29cd
SHA512 9d39763a175ddda8e33b672fce4b5731fe4a9e9d6d32a28ed53ceaf40428d8a41069d528f6b9f586664b59ce2aed844d081f6fae95e39aada396a7d9a4d62560

memory/4076-27-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\cqjxieyamfukj.exe

MD5 fef9ac4866d09ae277e8386f24fd5cc8
SHA1 46363ac5c27888a969b2ccb7572a5664b1f1662e
SHA256 5d471196627cd755e6a54cac189a9c80a52d4f0fec8e5dca49127f279f351122
SHA512 473f24f4169746bc7c83280a899ae8282fac5eee8242680a842698452bdf62e9ca25d1e7f1e428267ddb2c0cc2123213ccd223d21a8cdc1eda2d16f097363245

memory/4808-32-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-24-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4284-35-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/5032-36-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/5032-40-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/5032-39-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/5032-38-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/5032-37-0x00007FFE91D70000-0x00007FFE91D80000-memory.dmp

memory/1992-43-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/5032-42-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

memory/5032-44-0x00007FFE8F440000-0x00007FFE8F450000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 d69cee2243db753ab4efde604933f0c2
SHA1 caafa5ec2c4a5e7c7f67d1beadb0a646de9e3217
SHA256 066cd0fe467030c99e2b268bfbe5fa5cdc036612785151654ee9a4d2f7946794
SHA512 c25ca54b0a612b725fd19ad9183e0cffe5fcbfd598719a8f26507abdbaa70384240e2b03b40fcc8584f1b19a53c04e75210e6b7b7ddecd544e9066ae7742beea

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 c0b8ebdeb9df251bd8e9a5f68ed7304a
SHA1 3babfadd7cd403a2d5d16b53e321b5afc14b70d9
SHA256 4996a844503068afa4a52e2749014301bbef377216d02c9f58f722083a02869f
SHA512 3210e06d0ed9622a0ec583c5254794f4e206ed829676a77987dae600ea06eb882be368760b54408c87d7c227d5d8a0517c8c6e28a4e17342ab1b284d7cb5abdb

memory/4000-74-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-75-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4076-76-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\Desktop\AssertWait.doc.exe

MD5 8d1e96c0dd500632e37b17d578ddc732
SHA1 dcd90ae6952d94978533924aadc6ad44834ace81
SHA256 b914891d97a012ab7fc387bc357f73db09c43ed32615e242693ab8627a95afb0
SHA512 c5113251276986f396fa1ff625950f66c1881a7a2b10fcf72a65823771840bd2306cdfe0b3f27d53417896fc62467120955e5472a1212fafa0f128b9313981e3

memory/4808-83-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-84-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-85-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4076-86-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1992-89-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1992-88-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-87-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 22dbc4ec04dfc6a6430d187eba50a57f
SHA1 dd273be9a73bc71928292929c2fd359bd4b7c7cf
SHA256 8a4f88404ec028775f8563449c90683252876739ecc3071ce375618b92023c89
SHA512 240b2a99db363142b3ceebe8f9074997f70438ca4a3b6b99bcac031750bbb90c24054c3456abf24c9387b81bd0aa1899a5c80ee6ba80c9a8762d9fe234a7d0a6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 81815c559dce0d196720a57ee4c4a5e2
SHA1 740fdf51b6e64d49b2223dd3ef499e11f0869a84
SHA256 37672e142b6c62fd627b8ab1ce932c35cece40e8eaa3232356d0367a6622562c
SHA512 3848155db81418b64b5f7cfbba1930588ea0e247630722cd2f4b722426db758f79ebe7ccb391ffb03904a2f0a7af29508a0600932e1dd04bb00f49d5793e3478

C:\Users\Admin\AppData\Local\Temp\TCDE26E.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

memory/4000-255-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-258-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4076-257-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-256-0x0000000000400000-0x00000000004A0000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 268501b6e720ad389edd48b9789feb1d
SHA1 2da2111c81cef429988ed62071dac790054d1c9a
SHA256 877c02693c3127d6e8da69be0958ac74ca8d5a330c09acbef1c8d2952c4b9286
SHA512 0a3070a6ce1904d12c26414f305447ddf907b5d1bb92f2085c35210a8b04cbee6eb9a06d3fe031a2c5f10297e1a26265167f4ba3e627bfcb0c5c1c1f9c0c9fac

memory/1992-266-0x0000000000400000-0x00000000004A0000-memory.dmp

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 17e64d8c1bf606ee485624e06b60c7be
SHA1 e2164dae1c8d5cb2c31fbce69ea043eb8ec39e9f
SHA256 722b10c6032ee941c6af033f16df4880f3a0174f0e0ef22385c4e0369fefec98
SHA512 c7be0f03fb51988293b978e7e2d29eb45516265107d0e8a5ce72d029d2af9bdec37c48b882bf1fe91e653fc0ccd2a828a5911bd4e661de3d9bfbe4dac20f2d2e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 5f3bed296a37b61a86593623f1d5e09b
SHA1 52acc3d80469fe7644ec9ee3ad585d3ea6c9a155
SHA256 d4271b34bc5ed4e83686edf3708541343997fd782ed531368f456b09f1f711b0
SHA512 b328079fc01911075d25881ecd5defd0bd09fa0c99bc28e74ffb76c1a012b805a1511c2877849ccadcd31e60ed84b3748cc27cb5d5b3dfed297c1c2ebfec86f1

memory/4076-273-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-274-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-272-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-271-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1992-275-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-276-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-279-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4076-278-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-277-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1992-280-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-281-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-284-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4076-283-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-282-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1992-285-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1992-288-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4076-289-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-290-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-292-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-291-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-298-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-299-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-300-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-301-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-302-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-303-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-305-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-306-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-304-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-307-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-308-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-309-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-310-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-311-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-312-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-313-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-315-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-314-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-316-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-317-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-318-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4000-319-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2424-320-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/4808-321-0x0000000000400000-0x00000000004A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:07

Reported

2025-01-15 22:09

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ueybtikp = "tdkmlnmfdo.exe" C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qlqmgzpe = "qvrwxqrmmjxkpdi.exe" C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "cqjxieyamfukj.exe" C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\m: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\dovyreyx.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\cqjxieyamfukj.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
File created C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\SysWOW64\dovyreyx.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File opened for modification C:\Windows\SysWOW64\dovyreyx.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
File created C:\Windows\SysWOW64\cqjxieyamfukj.exe C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\dovyreyx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dovyreyx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dovyreyx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E8BFCF9482A82199131D75B7E9CBD97E144594166426335D79E" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F46BB0FF6D21DAD10FD0A78A0B906A" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32472C7C9C2283526A3076A570542CD87DF364D6" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BB4F9C9FE16F2E784783A40819939E3B0F902FE42600332E2CE429D08A3" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FB0B15A449338EB52CCBAD7339CD4CE" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1938C67D14E3DAB6B8BA7F97EC9E34CC" C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\dovyreyx.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\SysWOW64\cqjxieyamfukj.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 2988 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 2988 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 2988 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\tdkmlnmfdo.exe
PID 2988 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 2988 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 2988 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 2988 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 2988 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 2988 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Windows\SysWOW64\cqjxieyamfukj.exe
PID 1664 wrote to memory of 2820 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 1664 wrote to memory of 2820 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 1664 wrote to memory of 2820 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 1664 wrote to memory of 2820 N/A C:\Windows\SysWOW64\tdkmlnmfdo.exe C:\Windows\SysWOW64\dovyreyx.exe
PID 2988 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2988 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2988 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2988 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2576 wrote to memory of 2508 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2576 wrote to memory of 2508 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2576 wrote to memory of 2508 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2576 wrote to memory of 2508 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe

"C:\Users\Admin\AppData\Local\Temp\2b91184c2fd4938049661a9dd1eb5b928609e357411fff878277d51aff72db01.exe"

C:\Windows\SysWOW64\tdkmlnmfdo.exe

tdkmlnmfdo.exe

C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe

qvrwxqrmmjxkpdi.exe

C:\Windows\SysWOW64\dovyreyx.exe

dovyreyx.exe

C:\Windows\SysWOW64\cqjxieyamfukj.exe

cqjxieyamfukj.exe

C:\Windows\SysWOW64\dovyreyx.exe

C:\Windows\system32\dovyreyx.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2988-0-0x0000000000400000-0x00000000004A0000-memory.dmp

C:\Windows\SysWOW64\qvrwxqrmmjxkpdi.exe

MD5 68df199f55eb43a47f090e53f716fd7d
SHA1 3664f81b11e2ebb01214a37418b95e9e049eab8d
SHA256 e824770d7b0874dfd0e62a3686ae3e1bd352862e5ac1e3b8fc4c21c56e14ee64
SHA512 c0b74c6ccf48005d719cf5eb8123a4c26ab71d7b9c6c791d33549717919f573aa69ee498feb85e23be0f27335c2c4718a6ed9babffd80b86409a01ec59ab0ecd

\Windows\SysWOW64\tdkmlnmfdo.exe

MD5 61f59638749b72309447f526ba4acf31
SHA1 ea77105c8c378ff49602f1c94c3d7a809a7e7dc6
SHA256 14d4360e326e802ad776d10316752bdb306eb3fe54773182e296eb7757da5476
SHA512 eefa6cc905e26ff8c14aefa1681a657895d5337d695c1f18fe66976a3337b07129fbdf85c8d303223f6400945adf5690cbf327f81dde28fbea8092734ed1dcb7

\Windows\SysWOW64\cqjxieyamfukj.exe

MD5 cc2cc8c6c95eb41622a2144967bbceec
SHA1 e08cbf42a04f16e1f7382f4d60d02c395c704341
SHA256 3c67d9e139dc9654b8b1d22961ff290914e0b4d561fbe7eca653301a6d584dd1
SHA512 83869566eb0045ae02d0129075f4300c690953d30d7c8f1b1eaeb1567f59bea8de810012c39f96a26df58610d3aeac52e3f59e1190ed0520de1d35b16f0daaca

C:\Windows\SysWOW64\dovyreyx.exe

MD5 da0c0d2aa56277f6128c90aa32f28d04
SHA1 f8e66d9355055e86cbba7fd7677caf4336079478
SHA256 8febe0e1881dd96f2737084d5e9ee0722d7be7d98cd2e0c1c26a670518d02c20
SHA512 45553d444c0016e36087d76355d1093ef265805f20632e1813a2efee8d95270f53bea1f5dcc3bf742e06bfa2d52f9ebe6ae3669ba1708b0fa31e28d1f37ddd1a

memory/1664-40-0x0000000003BE0000-0x0000000003C80000-memory.dmp

memory/2820-41-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2988-42-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2988-44-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2576-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 5ab16107bd9d4f1f3f842f8aa42bdd6f
SHA1 f1d13d1d5e732b6d21fa2cb6dc650d23ec029c0f
SHA256 5f6bda2c93292d669b9313a7ffbc68bf4e7d18958c47b87f2d68254c382a049c
SHA512 d8d0f1fe7f47bf09b28c27e7dd14b2e9d2e204a0845324853dfdd00ff9202952bad63c21703169e8c559c72d5d076bb22661f6121e825611f5fa618cf495860f

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 39f7bdca5a2b453c35921a4b2bdc33c6
SHA1 3dce515034396ffe5017d9eff3f0bbf2eff2a3a7
SHA256 d95d556dd97d90950d2b3be5e0bd4a129a0113f86302a23ec4a01ae5fb4fa099
SHA512 e7e9740aaaca946d7418d8162f80222e365c31f3c4fb751f881658e373b8b656d4d8761b32cb5aab7715b338da849686cfb5b3fef0e563cbfebb4fc5c6172286

memory/1664-72-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-73-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2680-74-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-75-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2820-76-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-77-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2680-79-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-80-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-78-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2820-81-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-82-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-85-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2820-86-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2680-84-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-83-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2820-89-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2680-90-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-92-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-93-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-94-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-95-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-96-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-97-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-98-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-100-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-99-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-101-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-102-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-103-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-108-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-110-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-109-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-111-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-112-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-113-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-115-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-116-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-114-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-117-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-119-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-118-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-120-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-122-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-121-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-124-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-125-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-123-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1664-126-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-128-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-127-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2620-129-0x0000000003270000-0x0000000003280000-memory.dmp

memory/1664-130-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/1864-131-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2760-132-0x0000000000400000-0x00000000004A0000-memory.dmp