Malware Analysis Report

2025-08-10 22:52

Sample ID 240107-x28cqadcb9
Target abed8efcd70338477e181f1d423f4165.exe
SHA256 3dd43dbae635f5dc7294c39c7cc92e0240542a1124383d1f02eb113c52bd1a6c
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dd43dbae635f5dc7294c39c7cc92e0240542a1124383d1f02eb113c52bd1a6c

Threat Level: Known bad

The file abed8efcd70338477e181f1d423f4165.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies registry class

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:22

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:22

Reported

2024-01-07 19:25

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "ejixnkamihclb.exe" C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svtiqzqw = "bqgxenmyxm.exe" C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\nznbxjcc = "gslgztttkphgmqe.exe" C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\meqkefmc.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
File created C:\Windows\SysWOW64\meqkefmc.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\bqgxenmyxm.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File created C:\Windows\SysWOW64\gslgztttkphgmqe.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\gslgztttkphgmqe.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\meqkefmc.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File created C:\Windows\SysWOW64\ejixnkamihclb.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\ejixnkamihclb.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File created C:\Windows\SysWOW64\bqgxenmyxm.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\meqkefmc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC6B12F44EF39E953CBBAD43298D7C5" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F268B3FF1B21D1D108D1A48B789014" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF4FF8D482982199136D72C7D94BDE0E140593067446332D7ED" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
N/A N/A C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
N/A N/A C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
N/A N/A C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
N/A N/A C:\Windows\SysWOW64\bqgxenmyxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\meqkefmc.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A
N/A N/A C:\Windows\SysWOW64\ejixnkamihclb.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\bqgxenmyxm.exe
PID 1516 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\bqgxenmyxm.exe
PID 1516 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\bqgxenmyxm.exe
PID 1516 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\bqgxenmyxm.exe
PID 1516 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\gslgztttkphgmqe.exe
PID 1516 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\gslgztttkphgmqe.exe
PID 1516 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\gslgztttkphgmqe.exe
PID 1516 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\gslgztttkphgmqe.exe
PID 1516 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 1516 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 1516 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 1516 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 2128 wrote to memory of 2872 N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2872 N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2872 N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2872 N/A C:\Windows\SysWOW64\gslgztttkphgmqe.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 1516 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 1516 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 1516 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 2872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 2872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 2872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 2872 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ejixnkamihclb.exe
PID 2836 wrote to memory of 1964 N/A C:\Windows\SysWOW64\bqgxenmyxm.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 2836 wrote to memory of 1964 N/A C:\Windows\SysWOW64\bqgxenmyxm.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 2836 wrote to memory of 1964 N/A C:\Windows\SysWOW64\bqgxenmyxm.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 2836 wrote to memory of 1964 N/A C:\Windows\SysWOW64\bqgxenmyxm.exe C:\Windows\SysWOW64\meqkefmc.exe
PID 1516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 1516 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2928 wrote to memory of 1396 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2928 wrote to memory of 1396 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2928 wrote to memory of 1396 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2928 wrote to memory of 1396 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe

"C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ejixnkamihclb.exe

C:\Windows\SysWOW64\ejixnkamihclb.exe

ejixnkamihclb.exe

C:\Windows\SysWOW64\ejixnkamihclb.exe

ejixnkamihclb.exe

C:\Windows\SysWOW64\meqkefmc.exe

meqkefmc.exe

C:\Windows\SysWOW64\gslgztttkphgmqe.exe

gslgztttkphgmqe.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\meqkefmc.exe

C:\Windows\system32\meqkefmc.exe

C:\Windows\SysWOW64\bqgxenmyxm.exe

bqgxenmyxm.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1516-0-0x0000000000400000-0x0000000000496000-memory.dmp

memory/2928-48-0x000000002F121000-0x000000002F122000-memory.dmp

memory/2928-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2928-50-0x00000000717FD000-0x0000000071808000-memory.dmp

memory/2928-69-0x00000000717FD000-0x0000000071808000-memory.dmp

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe

MD5 91d730540de1ab10bfce252802177bb4
SHA1 6294d2d84b1b0cba0d0fe18d5dc23307418ca7a9
SHA256 f7b942ecf87db44fdf1ebabab75b69427fff08a7f5fd1642e07c04dc0b079c9c
SHA512 ed2a559c38c77e76ed640b9132cd57c293325f148725edc70e01ca013c0ef70a8d44cec71865b256d8d29aaa1cbbdbda8153474da79bca33ea3c7f872dca839d

C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe

MD5 0d38c291c8d68273b00990cefff7bded
SHA1 8856283dd8c9d29f8eb9a8e229c1f4ec98c807e0
SHA256 723ceb73c7d02c469f4552e93e45276a57ccf25e45f8f4a75c9066de06a14923
SHA512 65ccbd4bfbbc4c0e1e45ab390b4aeb68700ff76969e8e9aebe78260bd339b6e66c088ad1f18ac98836b21d95498a0992231544b83eb63ac84986b05d441873e5

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 04f0775d88073f1133ed77c341753cbb
SHA1 c1fb1e9c763c10ec7280cc7ad82ef426137e14ac
SHA256 12b7400e4a43f5afcc6818c514e4d2ff13e70eb91ae8a73075fa0e31a9ef05bf
SHA512 b0b974d9acf011977524f1bc647bebca03be098cce72bfb2df151930a3010e1b94e750c52e88526fcbb51d496340a9cb57c73e0195fcb0d868108ccd8e630ee7

memory/2928-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2928-103-0x00000000717FD000-0x0000000071808000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:22

Reported

2024-01-07 19:24

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qahternn = "sjyjrfvegd.exe" C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gnlejatl = "vliuuhlhvhtstcb.exe" C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "iofblvqmjpavl.exe" C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qxmnfwku.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created C:\Windows\SysWOW64\sjyjrfvegd.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\sjyjrfvegd.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\qxmnfwku.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File created C:\Windows\SysWOW64\iofblvqmjpavl.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
File opened for modification C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File created C:\Windows\SysWOW64\qxmnfwku.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification C:\Windows\SysWOW64\iofblvqmjpavl.exe C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\qxmnfwku.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F06BB4FE6C22DCD20CD1D38A0C9164" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183EC67F1597DABEB8CE7CE5ECE534BE" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EF8FF88482685139134D6217E94BDE0E141584767466241D798" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32402C0D9D2083556D3E76D677202CDB7DF264DD" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BCAFAB8F964F2E584753B3286973999B38902FC4213023AE2CA429C08A8" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2ECAB05B47E339EC53C8B9D5329ED4B8" C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\sjyjrfvegd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\sjyjrfvegd.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\iofblvqmjpavl.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A
N/A N/A C:\Windows\SysWOW64\qxmnfwku.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2544 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\sjyjrfvegd.exe
PID 2544 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\sjyjrfvegd.exe
PID 2544 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\sjyjrfvegd.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe
PID 2544 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe
PID 2544 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\qxmnfwku.exe
PID 2544 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\qxmnfwku.exe
PID 2544 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\qxmnfwku.exe
PID 2544 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\iofblvqmjpavl.exe
PID 2544 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\iofblvqmjpavl.exe
PID 2544 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Windows\SysWOW64\iofblvqmjpavl.exe
PID 2544 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2544 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4572 wrote to memory of 4152 N/A C:\Windows\SysWOW64\sjyjrfvegd.exe C:\Windows\SysWOW64\qxmnfwku.exe
PID 4572 wrote to memory of 4152 N/A C:\Windows\SysWOW64\sjyjrfvegd.exe C:\Windows\SysWOW64\qxmnfwku.exe
PID 4572 wrote to memory of 4152 N/A C:\Windows\SysWOW64\sjyjrfvegd.exe C:\Windows\SysWOW64\qxmnfwku.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe

"C:\Users\Admin\AppData\Local\Temp\abed8efcd70338477e181f1d423f4165.exe"

C:\Windows\SysWOW64\sjyjrfvegd.exe

sjyjrfvegd.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\qxmnfwku.exe

C:\Windows\system32\qxmnfwku.exe

C:\Windows\SysWOW64\iofblvqmjpavl.exe

iofblvqmjpavl.exe

C:\Windows\SysWOW64\qxmnfwku.exe

qxmnfwku.exe

C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe

vliuuhlhvhtstcb.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 46.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
GB 96.17.179.46:80 tcp

Files

memory/2544-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe

MD5 eee206a448cce0d0be8c919376d34ece
SHA1 c5f12d343c1d3b180008643aa0d2d86c4dbc3a03
SHA256 0820346d025a39a72cc55f22371eb528a2939b778ae2af0a063194122c0b5371
SHA512 ed3b4b16f07a3339d341e0f169feebf6a788133f9089c4ccb90676f7b672b13793db8a410ff7fcb0aade02188f4ded2adb01b50d9c87b1131371b57330ab3bad

C:\Windows\SysWOW64\vliuuhlhvhtstcb.exe

MD5 6662b185f19fbf697c56a25c92de7961
SHA1 0df0c0df0de3724258df2549c583e3c934aca726
SHA256 c11edb9e97848e20319fba876d9382c7193f68323eff1f7ed805bb04303bdc86
SHA512 c6e2cb83f68a63ca299dae843d2697d41dab8b565fb4005755b0d255b388779b6c1dad97375009c995f0a3d2e0acb4cc820090ca5dc24ee11e1a3de5b1a4921f

C:\Windows\SysWOW64\qxmnfwku.exe

MD5 9bdcff2e89100c7047e9afb3783d0d13
SHA1 6fdcfe7c510cd24bd8df65fb9221ae414a801229
SHA256 2f475f0025aa0b9968bd6710c7a45bb7b2be7a3232eee8ce0c7e605a865930b7
SHA512 8dfed1cafaf75ff7a67c18967e9d1490ac8ecf598fb14da1fa2c86ad2f6c08e6e0f3ddfbfb6e6fe54d28fbbf3870623a5506ca33b4ce8b133d0b64467406abc3

C:\Windows\SysWOW64\qxmnfwku.exe

MD5 257f28bd5bdc2b725434b7ab570814e7
SHA1 972446e0f8d210c5d6f42a57a921391a236d564d
SHA256 d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512 c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

memory/4484-39-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-38-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-44-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-48-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-49-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-50-0x00007FFF9ACB0000-0x00007FFF9ACC0000-memory.dmp

memory/4484-51-0x00007FFF9ACB0000-0x00007FFF9ACC0000-memory.dmp

memory/4484-47-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-46-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-45-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-43-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-42-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-37-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-36-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-35-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

C:\Windows\SysWOW64\sjyjrfvegd.exe

MD5 8ecda247a9199dfbc22fd9a673b06fcb
SHA1 140404cd246399b5c1d3e57b4e2f64262cdb4c88
SHA256 8bf6a69fda95656fa3079d7a95107c60cfe9b269ed9ed0ad9a498314f72d9be1
SHA512 1273fc3ebb8285dc92ba693deba4ef81a83ab84aa46a75fafe83247ca5ccc00e0e51ab2c372419996e7b20403fd0703d219cc8a41796918dec292bf36ac2704e

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 5944decdd218442a9b87a85fdf9371fb
SHA1 9983847b0b26da971037bd04429054333db961fb
SHA256 dfb4ccf134a2bb284896945e8fe47f36598efd4fc902806869cdaa92152fc0df
SHA512 7af91f0ebb289a0fa7dd3eb6bceb93100fd77106c3ec9b59d6ec3905791e5e3f6c894cd0730b172437c4c4b183f4b9779df9bf91238dc006d93ba5f11642af8c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f55690a824e662067757e692a36c1478
SHA1 6eefb0e80348bfa82ca33a2f5f7c9aff46ba732e
SHA256 050228ebe05e825ec37fe373c888a9777bade38e7fbb24d069bd2400294678dc
SHA512 00ba2f411aa68d7302c0baf5bc4834fce38c9d102192c841d0bd9af274221e61a049fa742f1943157916b5e0aa4fada6430f1b3697c887d08b827324e7e61773

memory/4484-111-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-112-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-135-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-137-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-141-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-140-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-138-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-139-0x00007FFFDD350000-0x00007FFFDD545000-memory.dmp

memory/4484-136-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp

memory/4484-134-0x00007FFF9D3D0000-0x00007FFF9D3E0000-memory.dmp