Malware Analysis Report

2025-08-10 22:52

Sample ID 240107-x2jz5adca4
Target 492aa041e8bc85623d4ee5ca79cb4994.exe
SHA256 40981dea368726c7fa3ff82e67c69da71275dde939a5ff28f034df0bd86b0a5b
Tags
evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40981dea368726c7fa3ff82e67c69da71275dde939a5ff28f034df0bd86b0a5b

Threat Level: Known bad

The file 492aa041e8bc85623d4ee5ca79cb4994.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence spyware stealer trojan

Modifies visiblity of hidden/system files in Explorer

Windows security bypass

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Drops file in System32 directory

AutoIT Executable

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:20

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:23

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "itrfgsxemmlkz.exe" C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\icgyfppx = "lvxwrnoibc.exe" C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qvhiathk = "obpmdcvptferbqc.exe" C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\qylqcvvf.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\lvxwrnoibc.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\lvxwrnoibc.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\obpmdcvptferbqc.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File created C:\Windows\SysWOW64\itrfgsxemmlkz.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
File created C:\Windows\SysWOW64\obpmdcvptferbqc.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File created C:\Windows\SysWOW64\qylqcvvf.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\qylqcvvf.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\itrfgsxemmlkz.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification \??\c:\Program Files\ResumeDeny.doc.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File created \??\c:\Program Files\ResumeDeny.doc.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification \??\c:\Program Files\ResumeDeny.doc.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files\ResumeDeny.nal C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files\ResumeDeny.nal C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File created \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.nal C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files\ResumeDeny.doc.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files\ResumeDeny.doc.exe C:\Windows\SysWOW64\qylqcvvf.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.nal C:\Windows\SysWOW64\qylqcvvf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\~$mydoc.rtf C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABAFACDFE14F19483743B42819D3E91B38B028B4314023BE1CC459A08A9" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E7816BB6FE1A22D1D209D1D58B799062" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
N/A N/A C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
N/A N/A C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
N/A N/A C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
N/A N/A C:\Windows\SysWOW64\lvxwrnoibc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\qylqcvvf.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\itrfgsxemmlkz.exe N/A
N/A N/A C:\Windows\SysWOW64\obpmdcvptferbqc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\lvxwrnoibc.exe
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\lvxwrnoibc.exe
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\lvxwrnoibc.exe
PID 2004 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\lvxwrnoibc.exe
PID 2004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\obpmdcvptferbqc.exe
PID 2004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\obpmdcvptferbqc.exe
PID 2004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\obpmdcvptferbqc.exe
PID 2004 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\obpmdcvptferbqc.exe
PID 2004 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2004 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2004 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2004 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2004 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\itrfgsxemmlkz.exe
PID 2004 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\itrfgsxemmlkz.exe
PID 2004 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\itrfgsxemmlkz.exe
PID 2004 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\itrfgsxemmlkz.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\lvxwrnoibc.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\lvxwrnoibc.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\lvxwrnoibc.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\lvxwrnoibc.exe C:\Windows\SysWOW64\qylqcvvf.exe
PID 2004 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2004 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2004 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2004 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
PID 2688 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2688 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2688 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2688 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe

"C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"

C:\Windows\SysWOW64\lvxwrnoibc.exe

lvxwrnoibc.exe

C:\Windows\SysWOW64\obpmdcvptferbqc.exe

obpmdcvptferbqc.exe

C:\Windows\SysWOW64\qylqcvvf.exe

qylqcvvf.exe

C:\Windows\SysWOW64\itrfgsxemmlkz.exe

itrfgsxemmlkz.exe

C:\Windows\SysWOW64\qylqcvvf.exe

C:\Windows\system32\qylqcvvf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Windows\mydoc.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2004-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\obpmdcvptferbqc.exe

MD5 c1b7aea6a2b071441cd2b7f5ad3d8784
SHA1 899aa6153d393d4cb14e98f6638238d5bca1db3f
SHA256 b9bc44483512856795a1fae015e065a1a3ae1a75bab711de162d39a75009451f
SHA512 d919de801e4d22723c1e298ba05925278ac730d0e2620e06f68a4d062588666de1e5515082109b6d76374b7f3b9d5cfb8aceeb3ffae85aaa8284107525ca9395

\Windows\SysWOW64\lvxwrnoibc.exe

MD5 e2475e8a46b34995a40313f758796232
SHA1 7dda71374e15c8fa22805b97a9963e0172053631
SHA256 7145ab029e8f89109af6c7b0f2e0ac5e23b5127f8cf4614b7d680569fdf38349
SHA512 707da961f64ce42e007c06d75bc1ea9f2c12f135da70550f32a7787b03c6c2e858e8fc08387ab4863ec14bcaa9b02dc6f67fd9d0f4c2e60093e97a013018cada

\Windows\SysWOW64\qylqcvvf.exe

MD5 fe04121e7e24d036ff1afc7e26ce7931
SHA1 d3bf4fa2afc65846b184d74970fd71b15d2342a7
SHA256 569ffeabc542175b95347259b36c358424e8f05ef685bdf5700d4c5a6de08c63
SHA512 fc57c17a97e8fba7a0b17439281d5f250f984819ab4041ef35acec07412c3d5bad89deb400440ce7ab1dbb8c193ba393c7c13abf2139ac70abd7c61fe7059f34

\Windows\SysWOW64\itrfgsxemmlkz.exe

MD5 28e5fa144fb4c26ff3a1f5d7832e53aa
SHA1 98f4b9ebe100ad1046f638e19012a0aa08a1a648
SHA256 67e897207968a54682c348c4ced68ce6bc5c7e98341b8e75ae797c77074eef33
SHA512 2bcc57c72166093954c6a05853ff0cb3475fd33cdfa0dcd2960f02c492d744919d9c87e03514a2adc156e9d22b85a81d4ba009f395180d42f2453d02329b4c5d

memory/2688-45-0x000000002F221000-0x000000002F222000-memory.dmp

memory/2688-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2688-47-0x000000007192D000-0x0000000071938000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

memory/2688-78-0x000000007192D000-0x0000000071938000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 027946734307570da7ad402d47a1ca37
SHA1 061bd708caed26cbb791431e64a63b51bd0e8339
SHA256 1e4515fed8933e5b6969e4386e3b8b3090e114c64f454bfad4b5446c1e50d62f
SHA512 e5b5f2da6a94c47fa7368fd9a4b51732ec172063b4c46c18585f4d8a3d9f24d0927a95ea63f9dde73c6bb1888dbd957c6230478d1994fb43be3c29038827b205

memory/2688-99-0x000000005FFF0000-0x0000000060000000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:20

Reported

2024-01-07 19:24

Platform

win10v2004-20231215-en

Max time kernel

176s

Max time network

174s

Command Line

"C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\bcauizkzoa.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\SysWOW64\bcauizkzoa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhcqsbea = "bcauizkzoa.exe" C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nrwrflka = "htglmeffqjbbrvx.exe" C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "bykzxjqvugdle.exe" C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\s: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\u: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\o: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\a: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\p: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\n: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\l: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\q: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\i: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\t: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\y: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\m: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\w: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\x: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\j: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\z: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\k: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\r: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\v: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened (read-only) \??\b: C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\bcauizkzoa.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" C:\Windows\SysWOW64\bcauizkzoa.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\bcauizkzoa.exe N/A
File created C:\Windows\SysWOW64\bcauizkzoa.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\bcauizkzoa.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File created C:\Windows\SysWOW64\bykzxjqvugdle.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\wygxlmdf.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\bykzxjqvugdle.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File created C:\Windows\SysWOW64\htglmeffqjbbrvx.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\SysWOW64\htglmeffqjbbrvx.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File created C:\Windows\SysWOW64\wygxlmdf.exe C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe C:\Windows\SysWOW64\wygxlmdf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mydoc.rtf C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
File opened for modification C:\Windows\mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
File created C:\Windows\~$mydoc.rtf C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "184EC70814E5DBC0B8B97CE8ED9534C8" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ABDF9B0F96AF195837D3B44869D3997B38E02FE4311033BE2CC45E609A2" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2EB5B058479038EA53B9BAA632EAD7B9" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7E88FC8E482B821B9030D72D7E94BC92E637594067436332D791" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "33412C7B9C5782236A3577A170562DAD7D8164D8" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E0F36BC4FE6722D9D173D0D38A7C916B" C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" C:\Windows\SysWOW64\bcauizkzoa.exe N/A
Key created \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Windows\SysWOW64\bcauizkzoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\htglmeffqjbbrvx.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\bykzxjqvugdle.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A
N/A N/A C:\Windows\SysWOW64\wygxlmdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\bcauizkzoa.exe
PID 1276 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\bcauizkzoa.exe
PID 1276 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\bcauizkzoa.exe
PID 1276 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\htglmeffqjbbrvx.exe
PID 1276 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\htglmeffqjbbrvx.exe
PID 1276 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\htglmeffqjbbrvx.exe
PID 1276 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\wygxlmdf.exe
PID 1276 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\wygxlmdf.exe
PID 1276 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\wygxlmdf.exe
PID 1276 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\bykzxjqvugdle.exe
PID 1276 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\bykzxjqvugdle.exe
PID 1276 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Windows\SysWOW64\bykzxjqvugdle.exe
PID 568 wrote to memory of 4828 N/A C:\Windows\SysWOW64\bcauizkzoa.exe C:\Windows\SysWOW64\wygxlmdf.exe
PID 568 wrote to memory of 4828 N/A C:\Windows\SysWOW64\bcauizkzoa.exe C:\Windows\SysWOW64\wygxlmdf.exe
PID 568 wrote to memory of 4828 N/A C:\Windows\SysWOW64\bcauizkzoa.exe C:\Windows\SysWOW64\wygxlmdf.exe
PID 1276 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 1276 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe

"C:\Users\Admin\AppData\Local\Temp\492aa041e8bc85623d4ee5ca79cb4994.exe"

C:\Windows\SysWOW64\bcauizkzoa.exe

bcauizkzoa.exe

C:\Windows\SysWOW64\htglmeffqjbbrvx.exe

htglmeffqjbbrvx.exe

C:\Windows\SysWOW64\wygxlmdf.exe

wygxlmdf.exe

C:\Windows\SysWOW64\bykzxjqvugdle.exe

bykzxjqvugdle.exe

C:\Windows\SysWOW64\wygxlmdf.exe

C:\Windows\system32\wygxlmdf.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 73.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/1276-0-0x0000000000400000-0x0000000000496000-memory.dmp

C:\Windows\SysWOW64\htglmeffqjbbrvx.exe

MD5 c2326ab69d0fd8555e3e4d400151e565
SHA1 ffaf83d0c9ec98116e85f71595c23a0f96fb8c40
SHA256 243ae8e2f8c392c2f331a54a95bf062b7748fb5b57d5b35f7f5df341dc068c0d
SHA512 fc218d8f161d3cea68030ca550710d32fac132bb2c9948811fe017e629e9d26e926ed8581c59fd742defbde7754e7d39857c629eae7038af4601f41ec6d3c470

C:\Windows\SysWOW64\bcauizkzoa.exe

MD5 b2fdd5ca36c2ba36c56cfa1f85d3d4a9
SHA1 73c6a70f063be782c79c5a566c594197fbeb2724
SHA256 dae3b6d2be57d568cac77d957b877ddcfa5fb5ae7add5add0ebe8bca5ef3843b
SHA512 97e1a8bc6fb8979543258c73d7b2e62313a1de44c71083e804e8499145787b2d3dc1bb96f70894f36281bfecc143290110c3212f0d9951dd7b83cc82ad2c7000

C:\Windows\SysWOW64\wygxlmdf.exe

MD5 5af76e7cbcf94f3a857e009365c02be9
SHA1 2cc921abfb05c798ed843c54f09f03ee2851367e
SHA256 2e77414ec9b6a38359945da72ed19f7dc4e04bd518c92c2dbad48076b64e3adf
SHA512 1b2a9faa825c130c73b545710dc42818a3ac81e3188171d3a6cbc3f56aa3ed211a63252ab1470f9f184c7beae702d88f1e9ef3dabb439b81df4dce90c5afeae7

C:\Windows\SysWOW64\bykzxjqvugdle.exe

MD5 091ead7fc5857cbb866a9edc33469da4
SHA1 ccfb742c7005e06a3fbd0b6477315d5f9e144406
SHA256 9de7c17176eccc969eb4c6327216a34f3ba9d0c0978416b3a0818fb7c31a3dae
SHA512 79ed703b3f8c15206b446b0038976d8e91384147707df18cc8c46f5b591b24db45262482533fa9cdf76b8223c7f86c250a84dd03be8810bb3ba1eabe2c16b51b

memory/3960-37-0x00007FFF9BE30000-0x00007FFF9BE40000-memory.dmp

memory/3960-39-0x00007FFFDBDB0000-0x00007FFFDBFA5000-memory.dmp

memory/3960-38-0x00007FFF9BE30000-0x00007FFF9BE40000-memory.dmp

memory/3960-40-0x00007FFF9BE30000-0x00007FFF9BE40000-memory.dmp

memory/3960-41-0x00007FFFDBDB0000-0x00007FFFDBFA5000-memory.dmp

memory/3960-42-0x00007FFF9BE30000-0x00007FFF9BE40000-memory.dmp

memory/3960-43-0x00007FFF9BE30000-0x00007FFF9BE40000-memory.dmp

memory/3960-44-0x00007FFFDBDB0000-0x00007FFFDBFA5000-memory.dmp

memory/3960-45-0x00007FFF99CC0000-0x00007FFF99CD0000-memory.dmp

memory/3960-46-0x00007FFF99CC0000-0x00007FFF99CD0000-memory.dmp

C:\Windows\mydoc.rtf

MD5 06604e5941c126e2e7be02c5cd9f62ec
SHA1 4eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA256 85f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512 803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 12b138a5a40ffb88d1850866bf2959cd
SHA1 57001ba2de61329118440de3e9f8a81074cb28a2
SHA256 9def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA512 9f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb

memory/3960-65-0x00007FFFDBDB0000-0x00007FFFDBFA5000-memory.dmp

memory/3960-66-0x00007FFFDBDB0000-0x00007FFFDBFA5000-memory.dmp

memory/3960-67-0x00007FFFDBDB0000-0x00007FFFDBFA5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 78bc718335bc9dee926ed73f8bfda012
SHA1 b00817ac3121974e734aeb741305069e6f6e65e9
SHA256 2057e3818453a592136c19330f35e9830e831b5ec4c6e109a384e3493f81904a
SHA512 7447c9e358745a89a284970df49cdefdc92f5193e777d15e2d188b2450dad8d9a475e3a3bcec29edf102fae6ee99daba2acac0a95ee2e75c5ccd5725a86b704d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2d775732ecf46801a7ebc3eefc894acc
SHA1 c358b3f73c58622c52290432f68d1a7c02bdf470
SHA256 f02425424edd668f657000e053b49ddf9b2b92132927ca28fed3774425313dc6
SHA512 fb1da7d5e7d32fe4851f02c06d92bd780ac19a0e49b882007e578f3391e1c78013222f49dac4060e68e177d7260a27ed7b68e79bc57c79e2ca92ec3f2cd9623b

C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe

MD5 f071bcef3a9f74d6df4579db773c7a9f
SHA1 342414a6cbc209b4ca92ea7e36a09b2d97e18cfc
SHA256 b32c1862274aa9dabeefd45cef4b22fae763c165da5047ff5749a97f784511e5
SHA512 9b6d466159767ba011d988602521b49c035cdc4dc196900feaad4619690e3e392c12cceb44c28a3b42175f17ada27a573d76b43fd6eb4c80cb7e9903f6c0aaf0