Malware Analysis Report

2025-08-10 22:51

Sample ID 240107-x2bzhsccep
Target a55653f091ed18edbe657030b185c23e.exe
SHA256 e2f3a6e1d219c9304c3cfabcf3ed5436b7b94fae2c578df159b40ac9e1fbf8ec
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2f3a6e1d219c9304c3cfabcf3ed5436b7b94fae2c578df159b40ac9e1fbf8ec

Threat Level: Known bad

The file a55653f091ed18edbe657030b185c23e.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Windows security bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Loads dropped DLL

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Office loads VBA resources, possible macro or embedded object present

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win7-20231129-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\rltnmyqkan.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\rltnmyqkan.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uojkxcsj = "rltnmyqkan.exe" C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mgcuvekd = "gvdgjvfuvlcgdve.exe" C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "xdahcslvewojh.exe" C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\l: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\rltnmyqkan.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\ibdzrjpv.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\rltnmyqkan.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdzrjpv.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created C:\Windows\SysWOW64\xdahcslvewojh.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created C:\Windows\SysWOW64\rltnmyqkan.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\rltnmyqkan.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created C:\Windows\SysWOW64\ibdzrjpv.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\xdahcslvewojh.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\rltnmyqkan.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\ibdzrjpv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\rltnmyqkan.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184DC60F15E1DBBEB9B97CE1ED9534CD" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Windows\SysWOW64\rltnmyqkan.exe N/A
N/A N/A C:\Windows\SysWOW64\rltnmyqkan.exe N/A
N/A N/A C:\Windows\SysWOW64\rltnmyqkan.exe N/A
N/A N/A C:\Windows\SysWOW64\rltnmyqkan.exe N/A
N/A N/A C:\Windows\SysWOW64\rltnmyqkan.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\ibdzrjpv.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A
N/A N/A C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe N/A
N/A N/A C:\Windows\SysWOW64\xdahcslvewojh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\rltnmyqkan.exe
PID 2380 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\rltnmyqkan.exe
PID 2380 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\rltnmyqkan.exe
PID 2380 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\rltnmyqkan.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe
PID 2380 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 2380 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 2380 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 2380 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 2380 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xdahcslvewojh.exe
PID 2380 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xdahcslvewojh.exe
PID 2380 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xdahcslvewojh.exe
PID 2380 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xdahcslvewojh.exe
PID 1228 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rltnmyqkan.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 1228 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rltnmyqkan.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 1228 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rltnmyqkan.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 1228 wrote to memory of 2640 N/A C:\Windows\SysWOW64\rltnmyqkan.exe C:\Windows\SysWOW64\ibdzrjpv.exe
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2380 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2496 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2496 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe

"C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"

C:\Windows\SysWOW64\rltnmyqkan.exe

rltnmyqkan.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\SysWOW64\ibdzrjpv.exe

C:\Windows\system32\ibdzrjpv.exe

C:\Windows\SysWOW64\xdahcslvewojh.exe

xdahcslvewojh.exe

C:\Windows\SysWOW64\ibdzrjpv.exe

ibdzrjpv.exe

C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe

gvdgjvfuvlcgdve.exe

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2380-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe

MD5 5adafb3372e232d25d0ab54e6c97f2ea
SHA1 3ca5e80575c139319a0e6ce6d1ca13d90ca35210
SHA256 177d690f7659284712ead93d9a8e78f169142225a02525e3f816644565d0a9e9
SHA512 9389505b00e0243eb36436665497774abdde574410b9746784a123623bda8c7857780f8297105d2850ea7b3f63c8c40c2657ce60a3143d936c805379a4d2ec71

\Windows\SysWOW64\rltnmyqkan.exe

MD5 67c515e91b0456bd93889826750ea960
SHA1 22fbd4d942c1753a5ec08a06295e2de07cc8a7f0
SHA256 c52bf1c19b874dd1222e224529ac47e673311abd5d4c78a58bf7d9c710093c4e
SHA512 f76187c2f9c5feada49b612125aaa08d7000a411c1dd427b0f6dfc11925e246b9e509169e699c25cece160829f363105773a42dcc3c5dba63bd48fc82660bca5

C:\Windows\SysWOW64\xdahcslvewojh.exe

MD5 badd716c7c48a8241873d9251da496d1
SHA1 6bd2a072c8f64a1780fe75d983cb7b6584985c6d
SHA256 ad4373bfa026f66380b8ce44d6bc300d146770114fb10087019af7c616dc11d7
SHA512 7bf3f09216e2ba376053e668963797cd78f91119467917a84f467dd3110d6bd26592784cdf7cefd293413ff5b6dbe10a996d89627177235d9f109732c05f36c5

C:\Windows\SysWOW64\ibdzrjpv.exe

MD5 0e151ec3919b72f9a6c7fe60d10f4ea0
SHA1 91fb01badc6db9808233ff95abf39c37982a8c85
SHA256 f644299fe8f10c5f3e24c1943fc808270b5d4f853e2316abf091c8d18344193c
SHA512 41d25f82ce04a14c21d19a9ad2d12663714221b6ecb1c3ee579a4a134949de0bfb3e6212e9acf97d0659d50e7a034dcdc103ecbedd8a71fbfefdc30f5728c12b

C:\Windows\SysWOW64\gvdgjvfuvlcgdve.exe

MD5 7fc6cf931da79ecd4267f22c6a1aefa8
SHA1 913682b9a75a4089cc18ec25b28e082916a6b314
SHA256 2672445b36639d26c7bcf277704d7f634ea7a6f4eac634027b98fb3f94062487
SHA512 272947751145ba29cbfecc6fe73cf5e20cf017c8c436a8af45198499e8b34c5f70215c3d5f21676a2a5de87616e85aa12b5cf0e263d57042e4221f7e12d81eaf

C:\Windows\SysWOW64\ibdzrjpv.exe

MD5 257f28bd5bdc2b725434b7ab570814e7
SHA1 972446e0f8d210c5d6f42a57a921391a236d564d
SHA256 d80f45a5995ba038d69dbe87f7c12827ffa2b53e79beedb0bc6ee91c10a61688
SHA512 c27aa91c3c3605941a1a121021c840fc7886cf27d43e9d6b2c371888a276d9dfd39135600a4f933f62dfa3d46cb6e12de6e31b3f8b939676701ff37f8cc61575

memory/2496-45-0x000000002FD61000-0x000000002FD62000-memory.dmp

memory/2496-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Windows\SysWOW64\xdahcslvewojh.exe

MD5 609af11fd29d08e54980de8c57a56b23
SHA1 e50dccaa3bd6cb5b4793d75239949664c7b7b85c
SHA256 263becbbaf456f58f41f0ac5b3d64a9146f02fe787e80917150392fa4b571274
SHA512 598fc2efae60327ed354d106300f79ddd327756e93b5afaa7178dde66f28b9326c31b553190840a55c1d1d3b027015fbfe7b8a004564aed9dc1b3ecb184f8586

memory/2496-47-0x000000007130D000-0x0000000071318000-memory.dmp

\Windows\SysWOW64\xdahcslvewojh.exe

MD5 c03f1b415c1a0f85ad198a005bf7046e
SHA1 a2efaf68ab7dd7dcc79269aa3cd97522358a9cdb
SHA256 74e015f4c2e9e3124b63eb60f1c32a8a593cdedc52057a6d92d718246e48f0de
SHA512 e1174f2d5c4af620eb9fd1baebff76c3bec1cc70a061424ce0d82cdcca358d39d9d79154838d507973bbcb5cf574a18eb20b4347e84aaf8a4431017a25011f49

\Windows\SysWOW64\ibdzrjpv.exe

MD5 d1b3806f6ce4b24ff6eb532197bef5be
SHA1 c59b2fa57ca35afdccd930c058f6346b3b1e7b7d
SHA256 4a5c8955f353a366774fe39bc856111dfc9372adc5095cb68080041a5cbaf959
SHA512 51c5d4da159f11a9b5a6325fc53907e10be011509bed0ee795284ab65eadab503265a313ae6c56b171691da2d722a43f02605df76f4c1a06a1eb3f07d941bf9d

memory/2496-76-0x000000007130D000-0x0000000071318000-memory.dmp

memory/2496-97-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 070c0b58a341f40f0f1d37f9d21c60d9
SHA1 d37f5fe58b3eeb24cff982dee4d0d846f57e537c
SHA256 b027be3f271bbf5ccf238d9db22b5c76853700aa5cbb201ff0fdb9e9a387f048
SHA512 902563e4388f56c1361ccd5aa20a032ff2fdad87969967ee6a87edfb96231d64a3cc922600c49297408f9ba0034d03e22aea51d45f960a32dd737d23206f6d51

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nblnkjqf = "xqkjqhcidd.exe" C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cyoqdean = "zknqubcpxzdrnyg.exe" C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "nevaqadkxpwwr.exe" C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xqkjqhcidd.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created C:\Windows\SysWOW64\sdvvumaw.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\nevaqadkxpwwr.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Windows\SysWOW64\sdvvumaw.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created C:\Windows\SysWOW64\nevaqadkxpwwr.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\xqkjqhcidd.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A
File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe C:\Windows\SysWOW64\sdvvumaw.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32322D799C2283556D4676A770252CD77DF364DD" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7846BB7FE6821ADD27BD0A48B789117" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6BBFFABFF963F29884753B4386983E91B3FE03FE4313023BE1BF45E908D4" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB1B12E4493389D52CBBAA632EDD4BE" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7EFFFF824F2685699040D75F7D91BDE6E643584766406242D6ED" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "183AC77815EDDBC5B8C07CE1ED9F34C7" C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\xqkjqhcidd.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\nevaqadkxpwwr.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A
N/A N/A C:\Windows\SysWOW64\sdvvumaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xqkjqhcidd.exe
PID 4716 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xqkjqhcidd.exe
PID 4716 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\xqkjqhcidd.exe
PID 4716 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe
PID 4716 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe
PID 4716 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe
PID 4716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\sdvvumaw.exe
PID 4716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\sdvvumaw.exe
PID 4716 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\sdvvumaw.exe
PID 4716 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\nevaqadkxpwwr.exe
PID 4716 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\nevaqadkxpwwr.exe
PID 4716 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Windows\SysWOW64\nevaqadkxpwwr.exe
PID 4716 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4716 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 5020 wrote to memory of 3924 N/A C:\Windows\SysWOW64\xqkjqhcidd.exe C:\Windows\SysWOW64\sdvvumaw.exe
PID 5020 wrote to memory of 3924 N/A C:\Windows\SysWOW64\xqkjqhcidd.exe C:\Windows\SysWOW64\sdvvumaw.exe
PID 5020 wrote to memory of 3924 N/A C:\Windows\SysWOW64\xqkjqhcidd.exe C:\Windows\SysWOW64\sdvvumaw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe

"C:\Users\Admin\AppData\Local\Temp\a55653f091ed18edbe657030b185c23e.exe"

C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

zknqubcpxzdrnyg.exe

C:\Windows\SysWOW64\sdvvumaw.exe

sdvvumaw.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

C:\Windows\SysWOW64\sdvvumaw.exe

C:\Windows\system32\sdvvumaw.exe

C:\Windows\SysWOW64\nevaqadkxpwwr.exe

nevaqadkxpwwr.exe

C:\Windows\SysWOW64\xqkjqhcidd.exe

xqkjqhcidd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 77.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 46.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4716-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

MD5 30af0cd048a6f5be623951643cd14d28
SHA1 47ee81993a3603fd840b2eaf5b4f83e2feba0b80
SHA256 4f1498efede0d439e3644d0b6d63e056c934ea63bbf1429d91e2e39ddc921ef3
SHA512 cfe4c237a33c51529bc685c4fd1548261262a1612f67cb26b7b618771d8a8ab7ab20eea1a86bc787d8556eeaf8f9ec9f568f3d2205804b47d908504da6586f80

C:\Windows\SysWOW64\sdvvumaw.exe

MD5 c218401b7a4f9c830d294d1dfa145d3b
SHA1 d528cce0e980d5cbcfb4971f6b1dec309871f0fc
SHA256 e292c9c81908f49e54e9ed0c03c024b2764eebca44e8ab1228efea1154c8bdf2
SHA512 4d0aea282bfa11108722f4c7cb129c1d5cf30e5d4bf988e5d3a6f3aaea85401f31a55b43c17c6a678e17c3a395a4eef7b5e4a884c9bd27b9eb3d4cf9e039be02

C:\Windows\SysWOW64\sdvvumaw.exe

MD5 0349bcc51e358b089b8a916c085924ac
SHA1 11c4a2209bb79d933ed4f211c296df184f4aaaf0
SHA256 38a68a4cc5711fe9b2b363f745f286aa7de369f2c13e4ddca571a6b2c6e72c43
SHA512 7197219549c21a228d7b1ea529a09ed011ac11551cffedd3d04c8863a52936c5fb3c0eade219b661a3444c9546275c14d6d2f2f714effedf38a9a74a2ddaa864

C:\Windows\SysWOW64\nevaqadkxpwwr.exe

MD5 e083de0dae5df581fe8aebfdbe8a8515
SHA1 de8f2a38d4c6acbdba6525f1154e73d1c32bf9c8
SHA256 d5da42b3e1193ccddc2c6a6ede9d12156d6a05ab2d23e389662777810204ac5b
SHA512 65db92855de2eaf9e7e8782277fb21b2e872137fd2da7c16676af0616c19ad47e958557d61d649bdd312dec7353f2a4661b32134299726914a5e568164935465

memory/1888-37-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-40-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-43-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-47-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-49-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-51-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-53-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-55-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-57-0x00007FF989A90000-0x00007FF989AA0000-memory.dmp

memory/1888-58-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-56-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-54-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-52-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/1888-50-0x00007FF989A90000-0x00007FF989AA0000-memory.dmp

memory/1888-48-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-46-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

C:\Windows\SysWOW64\sdvvumaw.exe

MD5 8ce5c42dcb5bb99b42dfc99b5d8f0609
SHA1 aa66771f7ead7bd41b82d908b65086a43e57e354
SHA256 0dfba2ab75a66072278603be912db56295bb4470aa11f50f590994ddbfaf6784
SHA512 388bdc31b12c990b04615e13e7b114572bf4ef881dfd1b11a71422f3c757ba0ec586d3de4d52155ec72923ed2b2fee30b2d952bfeb728ec76404cacecfbaaa74

memory/1888-42-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-41-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-39-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-38-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-36-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-35-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

C:\Windows\SysWOW64\nevaqadkxpwwr.exe

MD5 5a1366d811460096a3c3f9960094826e
SHA1 73404ca8a2aad03e5abf7adeb6cbb311b2cf6a0a
SHA256 4e9231d36d7c9aadd6a627de644ddf942629f80c1d33739a9cdded3380bfca92
SHA512 95d7b50fe24e86d40df88c6c7c2c57c1e2a9575c3922316dc842e3cf41712b8f511a6602e83aa43b45e819dd85a0b853340e47055ea5d8e00794344328cb58e1

C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

MD5 60c7cc5b0ecff4d2fd54a78d33e530bc
SHA1 ac796bcce2ceff3d37dfad327f70ca809766f37b
SHA256 21b01eb8aca8303499059d54f5c0bf11f2ae0bf3f3a58253c8794d1bb8842f42
SHA512 17c1288ff18565a5823b95f6e7621a828242b8632b41ce5c14b31e899894ff76d795b0de0cb90a8b2d32c3b4a41f25ebab7123b6e988118d29caea569d44b4d5

C:\Windows\SysWOW64\xqkjqhcidd.exe

MD5 7798e437ad2675b7b314967f97bd1d65
SHA1 75adcc02ed0238da96d122816b472dc5ce39ccfe
SHA256 8aa300da89e9875ebd69cd5173ed5e8fab83043c6cf701e71628841b75cf67d0
SHA512 15bf7c270b3f030f39a88d5e2808444533a90841419c3a506fdf63a887d6520e69b79e82f4f90ca7f5686953b5e7d2b45e03dfb51b31f9b0312baed4ed0d8455

C:\Windows\SysWOW64\xqkjqhcidd.exe

MD5 47e578d1d1ac0d9041eee6b4967d3025
SHA1 9b6c732f33155469ddc490001df01d423036b493
SHA256 fa2dbaf77184be2125a7faf94a4d38d809da41fe96969d8c683a948898a6ae52
SHA512 69a64594725188939e30c3615897c48cdcfd49c596b78c6dd6c3cdbe6f66c1351655ac17d20c78a09cf18917be7592671854b5be9fe638d680888edf0a22866b

C:\Windows\SysWOW64\zknqubcpxzdrnyg.exe

MD5 39fefc2896d1c99bc0faee45069e4235
SHA1 3deb22d173ccf88365d2f87fff4db906178fc3ea
SHA256 8332e6d7217ee1aa5adf469e8b25ab25b73a0b8dff1a93e9b99fe6eeccfdd2e9
SHA512 19944cf7177de370faab030134d587d3fa4455cf0d87624fedebde0553a259c686e75ddbb47796e461a87e420e43e7af5c8071ddf43795cbb2503ef580985b8b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 178acb3a535958573d2d65f5765423eb
SHA1 ab76495c02b1cce9d3a45af36898d541bc968a7f
SHA256 61af45b4e5e6874cb17af4ca2e3200284e8eed1bdfa68cbcd2062ae4f422de0f
SHA512 c8370c983aa955071b61aa4d167ffa8c96dbf36f5ac962f4a950ab8679bd6cde956daa3c31a9d4eab346c50e8213e88a06e0b8b000506cacfeddcf62e35ea7b2

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe

MD5 a01969a7ace301cfa146501768a2785f
SHA1 b00866ee9a2a0ba411c4b576b628bb02c7eb377e
SHA256 2e3f2a3e7f185b1049ff36e8f91ed75257e0630c16b3b064e91cf3c6a90aa1e4
SHA512 f7af7b17e51a642088e8e78f9bc52fce49c207c033ef92363436350da7bdf2d97a19d1d1be7969d716c377a2b1cc387f1a39385ac1998734fedd00ff201c839c

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 c1ac0478509acff17293605b5c0769e4
SHA1 9ea219a8886ab0f868f2139bcd858cfb90c254e0
SHA256 8f1d8d9584e76cf3dba8216171376d8a8fecea53d3f98008ea432fb9326547a7
SHA512 b6ce1b16d3694c9271e269573243e77136378a46645b1dba1a644920183769eed958facff19ee8e62722d2d61c30add412745b4db26db33ce9a2fa0236e60d97

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 cb773013b2b1110e85a5b84471babddf
SHA1 67583aa38c393612a3d18c55faa71b18c72bf2fd
SHA256 f575abb671bdaed6cff1648fd5caf0426c3d88e40e41c2902844b015536634b2
SHA512 0e57db1a4476573e0003c47c951303df939f281d482746fdb73557b7ec06293bb72ccff7d900c20d09d558f021065f624f0dd73a2957f08f06dd1954f7e53fd1

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 3a81bb7f89fff51fd80d1e9e1e60471f
SHA1 7c04e73b47855108f7cb0f1f8e76b71078d74158
SHA256 7afee2b09ec479879bca80da134ceff2df40ad8eff99ed5b1461e6b64e3c474e
SHA512 d8500626b99b14b8e441c88b9a8431db9188b5dea17610b1d5ff35a199195026f6c9961281e7c3a4babe8c88b1a949a03a42c6872e2eb0ec1761f65095f777cc

\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe

MD5 625d8f23cc5676a6b6a5e520be0ee917
SHA1 32e34e6f577e98666d51c91d4971bc6a8d873fb4
SHA256 f3ccf8404009dddb8b726cc094e8835e6fa5e5ed91dde8edfeb927c8ad2de99c
SHA512 52507463d4afade3b4717d9d7ea0661c78464d31e4a613ab9e7876e67e0d9d0197e18684ccf264e2c3e9bedcaab4a4e42aefec6e06b850f9bd75d1430244feb7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e6100b7d0180b75d49c331f6d15fed9d
SHA1 61aeef274a26310dda0815d4308ef49c79d45774
SHA256 50bee110d2282d15fb42f62109916d8323948a1516e028fba1e4b8da03b7c097
SHA512 4b2397b65cfe6dcd248d941f3aecc965c155d06a635d5c943b51b8a5036391e1f5d985f36895f010f79c915e9390ba3c23660419c573f6bcd0e1b4c0a49feeb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 edef1f39b6c213fe678c244843cde01f
SHA1 d699b72ba58aaf977f97bcce42e53ff87776e935
SHA256 8d673aef8428334f765845bd3c01fb552edf4f5a8f1838497ab729e41a45b83f
SHA512 15bab0c4de17bbae495f517b69fd27c23ee9dbfef170457df3b50be31fdd8a4b3b1548d80fed9c0410afd85500a6fd48bdaeaad86a73ef441cb2a5369f3189e4

memory/1888-114-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-115-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-116-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-140-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-139-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-141-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp

memory/1888-143-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-144-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-142-0x00007FF9CBD90000-0x00007FF9CBF85000-memory.dmp

memory/1888-138-0x00007FF98BE10000-0x00007FF98BE20000-memory.dmp